Hello
Splunk Version 6.2.1
Palo Alto Networks APP 6.0.1
The index seems to be correctly configured because I receive data if I search "eventtype=pan" or "index="pan_logs" on the App itself.
But I have no data at all under Activity, Threats or Operations tab...
I followed the troubleshooting steps available but found nothing, only something about NTP and time settings, but that's not clear that the NTP problem makes the data not to appear at all.
And the timestamp of logs seems correct:
What else can I check? This is my first configs on Splunk and I may have missed something.
Thanks for the help!
The add-on is required for parsing. Does the operations > real time events dashboard work?
Are some dashboards working or non at all? What version of the Add-on do you have installed?
Yes, I have some working dashboards, but only for others App, like network ones.
The Add one is 6.0.2, but I think I don't need this Add On, I have configured nothing on it.
Thanks !
Can you retrieve the search query for one of the non functioning dashboards and paste it here please?
Firewall Event, Latest event code is this one:
| pan_tstats
count FROM node(log.system)
$serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id)
| sort -_time
And what's displayed is "waiting for entries"