- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Palo Alto Networks App for Splunk: Why are all das...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?
I set up the Palo Alto Networks App for Splunk, but all of the dashboards are blank except for the overview. The firewall is configured to send the log data via syslog (not using 514 as it is already being used). I verified that I am getting traffic, threat, configuration log data, however, none of the dashboards are populating with new data other than the overview dashboard.
I verified that I am getting new log data by running pan_traffic and pan_threat and selecting a 30 second time Window for real-time.
I had this issue with 5.1.x and I upgraded to 5.2.0 since I had recently upgraded the PANOS (TA is at version 3.6.1), but the dashboards are still empty. I was prompted to set the app back up after the upgrade, but everything needed was already in the configuration file so I just clicked save. Same results, Overview works, but none of the other dashboards.
Versions:
Splunk: 6.3.3
PAN App: 5.2.0
TA: 3.6.1
Thanks,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please confirm that your sourcetypes are correct. They should start with pan:
See:
http://pansplunk.readthedocs.io/en/latest/getting_started.html#step-3-create-the-splunk-data-input
Also check to see if you have the your role "Indexes to search by default" with the paloalto index selected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The index is in the list of indexes to search and my inputs.conf file is as needed:
[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so if you search with just sourcetype=pan:log
you get events?
and those events have the expected fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get events. 3,602,097 events (Partial results for before 8/9/16 2:52:38.000 PM) ( I stopped the search)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are they parsed correctly meaning you see the expected fields?
Next thing to try will be to look at the dashboard panel, move your mouse to the left bottom, an icon should appear to allow you to run the search. Take a look at that search to determine where the issue is. If the icon is not there then look at the job inspector to find the search it is running to fill the panel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search terms:
None | tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
Here is the search:
| tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sean,
Have you tried going through the troubleshooting guide?
http://pansplunk.readthedocs.io/en/latest/troubleshoot.html
Thanks,
Paul
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reports finished but i am still not getting results. I did find that if I change the time range to all time I get results from last year. I had to stopped forwarding data from our firewall due to license over run, which is no longer an issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you add
no_appending_timestamp = true
in inputs.conf UDP stanza?
Can you also confirm clocks and timezones on the firewall and splunk server are the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs:
[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true
Both are in the right time zone and are showing the same time.
I checked out splunkd.log and found:
08-09-2016 14:22:30.545 -0400 ERROR FrameworkUtils - Incorrect path to script: /.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py. Script must be located inside $SPLUNK_HOME/bin/scripts.
08-09-2016 14:22:30.545 -0400 ERROR ExecProcessor - Ignoring: "'/.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I checked the accelerated reports and confirmed that they were each (3) were at 100%. I chose to rebuild them in case something went wrong the first go. They have not finished yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked the acceleration on my install, as well. It was only at 32% so I started a rebuild.
when the rebuild reached ~75% the other dashboards starting working; However, it is now at 98.63% and the other dashboards have stopped working again...
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
