All Apps and Add-ons

Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO
Path Finder

Hello. I've been running this app within Splunk for a few months. I have two PANs sending syslog feeds and am capturing just about everything. All severities and URLs. The traffic and threat dashboards were populating just fine and then I open them up today and BAM. Nothing. I haven't changed a thing on either the PANs or the Splunk server. Any thoughts as to what might cause this?
The first graph in traffic is "bytes transferred over time". It just says "Search is waiting for input" and when I click on the little "i" it says "Unknown sid".

Thanks in advance!

0 Karma

BrendanCO
Path Finder

Can anyone else from the development team chime in here? I'm at a loss and can only get 1 response every 24 hours or so. This is becoming urgent.

0 Karma

BrendanCO
Path Finder

I put in the following query, copied directly from your source code in the Traffic Dashboard:
| pan_tstats sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM node(log.traffic.end) $action$ $src_ip$ $dest_ip$ $dest_port$ "$user|s$" $app$ groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

I get this error:

Error in 'TsidxStats': WHERE clause is not an exact query

0 Karma

BrendanCO
Path Finder

Hello. I've rebuilt all of the data models and the dashboards are still not populating. I've set the time value to "all time" and am not seeing anything. Please let me know what else I should try.

0 Karma

BrendanCO
Path Finder

Thanks for your response, HiroshiSatoh!

I followed all troubleshooting methods contained in the link you provided. The times are synced on the PAN and the Splunk, the config files are correct, the acceleration settings for the 3 models related to the app is correct. The logs are coming in, appear to be correct. The search "eventtype=pan" produces logs coming in, in real-time. The overview dashboard is populated, as are every other one. So, I'm still stuck with the Traffic and Threat dashboards not populating.

Thoughts?

0 Karma

HiroshiSatoh
Champion

Did you see troubleshooting?
Please read the data model part.

http://pansplunk.readthedocs.io/en/latest/troubleshoot.html

Check acceleration settings in the data model under Settings > Data Model > and fine the Palo Alto Networks datamodels. (There may be 1 or 3 datamodels depending on the App version)

Settings>Data models>Palo Alto Networks FirewallLogs
ACCELERATION>Rebuild

alt text

0 Karma

HiroshiSatoh
Champion

The overview dashboard searches direct logs, but Traffic and Threat dashboards uses a data model.
How about rebuilding the data model?

0 Karma

HiroshiSatoh
Champion

Can I search with this search sentence? Is field extraction done?

index=XXX (Sourcetype = pan_traffic OR sourcetype = pan: traffic)

※Field definition↓
[extract_traffic]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in","packets","start_time","duration","category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_host","action_source"

0 Karma

BrendanCO
Path Finder

Index=main sourcetype="pan:traffic" yields many results.
alt text

0 Karma

BrendanCO
Path Finder
0 Karma

HiroshiSatoh
Champion

It is caused by failing to ACCELERATION the data model and create the summary.
I do not recommend it, but I think that it will be displayed if you change the search macro.


summariesonly=t

summariesonly=f

0 Karma

HiroshiSatoh
Champion

I think that it is caused by insufficient memory and can not ACCELERATION.

Can I execute this search statement?

|tstats summariesonly=f sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

Panel「Bytes Transfered Over Time」search sentence.

summariesonly=t

summariesonly=f

0 Karma

BrendanCO
Path Finder

I had to switch to verbose mode, but that search worked.

http://imgur.com/a/mzS5Q

0 Karma

BrendanCO
Path Finder

and what does this mean at the end of each of your transmissions?

"summariesonly=t

summariesonly=f"

Where am I supposed to find that?

0 Karma

HiroshiSatoh
Champion

You can change it from here.
Settings>Advanced search>Search macros
・_pan_dropdown(2)
・_pan_ep_dropdown(2)
・pan_tstats

※But this is a workaround. It is not a root cause solution.

0 Karma

BrendanCO
Path Finder

Ok. Did you see my previous responses? The Bytes Transfered Over Time search worked just fine. I also watched my working memory on the server while I brought up the Traffic Dashboard. There was plenty of available RAM on the server.
Next thoughts, please? Since I'm only able to get one response per day, please put as many things to try as possible in your responses.

0 Karma

BrendanCO
Path Finder

I changed the search macros to "summariesonly=f". Traffic dashboard still does not work

0 Karma

HiroshiSatoh
Champion

It does not work even if the source code is copied as it is・・
There is a problem with constructing a data model, not a dashboard.

If you do not understand Splunk well, we recommend that you contact support.

0 Karma

BrendanCO
Path Finder

This is a cop out. You are one of the developers of this app, right? It's quite simple. This app was working one day, it stopped working the next. I am not the only one who has posted this issue and whether or not I was aware of how the search parameters work, that doesn't explain why your app worked one day, and not the next.
I need someone to actually help me, please. You want to advertise that you have an app that works with Palo Alto, you need to support it.

0 Karma

BrendanCO
Path Finder

I'm sorry, I don't understand your recommendation. Are there any log files that might give me more information? Should I consider uninstalling and reinstalling the Palo Alto addon? Please let me know how we can try to move forward. I need to get those dashboards running as soon as possible and I don't want to lose any data in the meantime.

0 Karma

BrendanCO
Path Finder

Also, if you could add as many things to try as possible in the next thread that would be much appreciated. I'm coming up on a deadline here.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...