Hello. I've been running this app within Splunk for a few months. I have two PANs sending syslog feeds and am capturing just about everything. All severities and URLs. The traffic and threat dashboards were populating just fine and then I open them up today and BAM. Nothing. I haven't changed a thing on either the PANs or the Splunk server. Any thoughts as to what might cause this?
The first graph in traffic is "bytes transferred over time". It just says "Search is waiting for input" and when I click on the little "i" it says "Unknown sid".
Thanks in advance!
Can anyone else from the development team chime in here? I'm at a loss and can only get 1 response every 24 hours or so. This is becoming urgent.
I put in the following query, copied directly from your source code in the Traffic Dashboard:
| pan_tstats
sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM node(log.traffic.end)
$action$ $src_ip$ $dest_ip$ $dest_port$ "$user|s$" $app$ groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
I get this error:
Error in 'TsidxStats': WHERE clause is not an exact query
Hello. I've rebuilt all of the data models and the dashboards are still not populating. I've set the time value to "all time" and am not seeing anything. Please let me know what else I should try.
Thanks for your response, HiroshiSatoh!
I followed all troubleshooting methods contained in the link you provided. The times are synced on the PAN and the Splunk, the config files are correct, the acceleration settings for the 3 models related to the app is correct. The logs are coming in, appear to be correct. The search "eventtype=pan" produces logs coming in, in real-time. The overview dashboard is populated, as are every other one. So, I'm still stuck with the Traffic and Threat dashboards not populating.
Thoughts?
Did you see troubleshooting?
Please read the data model part.
http://pansplunk.readthedocs.io/en/latest/troubleshoot.html
Check acceleration settings in the data model under Settings > Data Model > and fine the Palo Alto Networks datamodels. (There may be 1 or 3 datamodels depending on the App version)
Settings>Data models>Palo Alto Networks FirewallLogs
ACCELERATION>Rebuild
The overview dashboard searches direct logs, but Traffic and Threat dashboards uses a data model.
How about rebuilding the data model?
Can I search with this search sentence? Is field extraction done?
index=XXX (Sourcetype = pan_traffic OR sourcetype = pan: traffic)
※Field definition↓
[extract_traffic]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in","packets","start_time","duration","category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_host","action_source"
Index=main sourcetype="pan:traffic" yields many results.
It is caused by failing to ACCELERATION the data model and create the summary.
I do not recommend it, but I think that it will be displayed if you change the search macro.
summariesonly=t
↓
I think that it is caused by insufficient memory and can not ACCELERATION.
Can I execute this search statement?
|tstats summariesonly=f sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
Panel「Bytes Transfered Over Time」search sentence.
summariesonly=t
↓
summariesonly=f
I had to switch to verbose mode, but that search worked.
and what does this mean at the end of each of your transmissions?
"summariesonly=t
↓
summariesonly=f"
Where am I supposed to find that?
You can change it from here.
Settings>Advanced search>Search macros
・_pan_dropdown(2)
・_pan_ep_dropdown(2)
・pan_tstats
※But this is a workaround. It is not a root cause solution.
Ok. Did you see my previous responses? The Bytes Transfered Over Time search worked just fine. I also watched my working memory on the server while I brought up the Traffic Dashboard. There was plenty of available RAM on the server.
Next thoughts, please? Since I'm only able to get one response per day, please put as many things to try as possible in your responses.
I changed the search macros to "summariesonly=f". Traffic dashboard still does not work
It does not work even if the source code is copied as it is・・
There is a problem with constructing a data model, not a dashboard.
If you do not understand Splunk well, we recommend that you contact support.
This is a cop out. You are one of the developers of this app, right? It's quite simple. This app was working one day, it stopped working the next. I am not the only one who has posted this issue and whether or not I was aware of how the search parameters work, that doesn't explain why your app worked one day, and not the next.
I need someone to actually help me, please. You want to advertise that you have an app that works with Palo Alto, you need to support it.
I'm sorry, I don't understand your recommendation. Are there any log files that might give me more information? Should I consider uninstalling and reinstalling the Palo Alto addon? Please let me know how we can try to move forward. I need to get those dashboards running as soon as possible and I don't want to lose any data in the meantime.
Also, if you could add as many things to try as possible in the next thread that would be much appreciated. I'm coming up on a deadline here.