Splunk for Palo Alto Networks: Searching for users...

nk-1 · ‎06-12-2015

I'm trying to figure out who's using the most bandwidth today doing what, via:

<pre>index=pan_logs earliest=-0d@d | stats sum(elapsed_time) as duration, sum(bytes) as sbytes by user, app | table user app sbytes duration</pre>

I always get a user named "unknown" as the top user.
How does something get classified as "unknown" in the Palo Alto app?

bravon · ‎06-15-2015

unknown means that USERID either is disabled or PA does not know what the user is. (That means that the PA itself should show you the same information - don't think its a Splunk-issue)

bravon · ‎06-16-2015

When i run the query I get users listed.

Try this:

 index=pan_logs user="*" | top 20000 user

Run it "Last 60 minutes" or something

This returns thousands of users for me - what does it list for you?

nk-1 · ‎06-16-2015

Top user (75%) is "unknown" for the past hour, using your query above.
Many other specific users listed below that.

If I drill down on "unknown", I can get the client_ip, and based on the timestamp, I can find out who they really are.
But why is PAN logging "unknown"?

bravon · ‎06-17-2015

Check the PA Box Logs - if it logs it the same way this cannot be solved within Splunk.

nk-1 · ‎06-15-2015

I'm a little concerned that the biggest bandwidth user for the various categories is always "unknown" and not some specific individual.
Could someone else running the Palo Alto Networks app run the above query and let me know if this "unknown" user is a common phenomenon there too?
If it isn't, I might have to speak to the PAN implementers here to see why it is logging "unknown".
Thanks.

Splunk for Palo Alto Networks: Searching for users using the most bandwidth, how is a user classified as "unknown"?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!