All Apps and Add-ons

Upgraded to Version 5 - Unable to see Data in the Overview

raybowden
New Member

Hello All,

I have followed the guide from here - http://pansplunk.readthedocs.org/en/latest/upgrade.html#upgrade-to-app-version-5-0

I recreated the index as pan_logs from the GUI after installing the App

But I am unable to see any Real Time stats on the Overview, surprisingly I can see data in all the other dashboards.

0 Karma
1 Solution

btorresgil
Builder

Hello, if you're missing data from only one dashboard (in this case, Overview Dashboard), it's most likely that dashboard was modified at some point, so you have a version of it in the app's local directory. This means you're using a modified version of the dashboard from an older version of the app, rather than the dashboard from the new version of the app.

Check your local directory in the app for any dashboards. They are found in $APP_DIR/local/data/ui/views

Delete any XML files you find there that you didn't create yourself. This will remove your customizations to the stock dashboards, but will allow you to use the upgraded dashboards that came with the new version of the app. If you have customizations you want to keep, you can copy those customizations, then copy the new dashboards from default to local and apply the customizations there.

If that doesn't fix the problem, check your inputs to verify you are receiving new data. The Overview Dashboard is realtime and shows only fresh data being received now. The other dashboards show historical data. So it's possible a missing or misconfigured data input could cause this problem.

UPDATE: Another possible cause is that the pan_logs index is not in the list of Indexes searched by default. I just added a note to the 5.0 upgrade guide under the Index section on how to correct this. It should make your macro modifications unnecessary.

Upgrade Guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html#index

View solution in original post

0 Karma

btorresgil
Builder

Hello, if you're missing data from only one dashboard (in this case, Overview Dashboard), it's most likely that dashboard was modified at some point, so you have a version of it in the app's local directory. This means you're using a modified version of the dashboard from an older version of the app, rather than the dashboard from the new version of the app.

Check your local directory in the app for any dashboards. They are found in $APP_DIR/local/data/ui/views

Delete any XML files you find there that you didn't create yourself. This will remove your customizations to the stock dashboards, but will allow you to use the upgraded dashboards that came with the new version of the app. If you have customizations you want to keep, you can copy those customizations, then copy the new dashboards from default to local and apply the customizations there.

If that doesn't fix the problem, check your inputs to verify you are receiving new data. The Overview Dashboard is realtime and shows only fresh data being received now. The other dashboards show historical data. So it's possible a missing or misconfigured data input could cause this problem.

UPDATE: Another possible cause is that the pan_logs index is not in the list of Indexes searched by default. I just added a note to the 5.0 upgrade guide under the Index section on how to correct this. It should make your macro modifications unnecessary.

Upgrade Guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html#index

0 Karma

raybowden
New Member

I reverted the changes to the macros.conf file and added the pan_logs as a index searched by default and it also resolved the issue.

0 Karma

raybowden
New Member

I have been able to resolve this myself, I looked into the previous default folder before the upgrade and I can see that the macros.conf didn't have any index definitions in them.

Changed from:

Base Macros

This macro is deprecated, but is here for legacy

dashboards created by administrators so they don't break.

It is better to use the pan_logs macro.

[pan_index]
definition = eventtype="pan"

[pan_logs]
definition = eventtype="pan"

[pan_threat]
definition = eventtype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

[pan_threat_all]
definition = eventtype="pan_threat"

[pan_traffic]
definition = eventtype="pan_traffic"

[pan_system]
definition = eventtype="pan_system"

Changed to:

Base Macros

This macro is deprecated, but is here for legacy

dashboards created by administrators so they don't break.

It is better to use the pan_logs macro.

[pan_index]
definition = index=pan_logs eventtype="pan"

[pan_logs]
definition = index=pan_logs eventtype="pan"

[pan_threat]
definition = pan_logs eventtype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

[pan_threat_all]
definition = pan_logs eventtype="pan_threat"

[pan_traffic]
definition = pan_logs eventtype="pan_traffic"

[pan_system]
definition = pan_logs eventtype="pan_system"

0 Karma

btorresgil
Builder

You shouldn't need to add index=pan_logs to these macros, because eventtype="pan" should cover any Palo Alto Networks logs across all indexes. If it isn't working that way, try adding your pan_logs index as a default search index for your user or role in Splunk. I'd be interested to know why adding index=pan_logs to the macro really makes a difference in your environment because it usually shouldn't be needed.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...