Why am I not getting any data on Palo Alto Network...

TRBVBQ · ‎03-23-2018

Hello
Splunk Version 6.2.1
Palo Alto Networks APP 6.0.1

The index seems to be correctly configured because I receive data if I search "eventtype=pan" or "index="pan_logs" on the App itself.

But I have no data at all under Activity, Threats or Operations tab...

I followed the troubleshooting steps available but found nothing, only something about NTP and time settings, but that's not clear that the NTP problem makes the data not to appear at all.
And the timestamp of logs seems correct:

What else can I check? This is my first configs on Splunk and I may have missed something.

Thanks for the help!

TRBVBQ · ‎03-26-2018

TRBVBQ · ‎03-26-2018

Hello

On the "Real Time event feed", I have only the "Event type" graph that is filled.
On some dashboards, I have this warning " KVStore based automatic lookups are not supported (pan:threat)"

panguy · ‎03-24-2018

The add-on is required for parsing. Does the operations > real time events dashboard work?

panguy · ‎03-23-2018

Are some dashboards working or non at all? What version of the Add-on do you have installed?

TRBVBQ · ‎03-23-2018

Yes, I have some working dashboards, but only for others App, like network ones.

The Add one is 6.0.2, but I think I don't need this Add On, I have configured nothing on it.

Thanks !

tiagofbmm · ‎03-23-2018

Can you retrieve the search query for one of the non functioning dashboards and paste it here please?

TRBVBQ · ‎03-26-2018

Firewall Event, Latest event code is this one:

| pan_tstats count FROM node(log.system) $serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id) | sort -_time

TRBVBQ · ‎03-26-2018

And what's displayed is "waiting for entries"

Why am I not getting any data on Palo Alto Networks App for Splunk?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2