All Apps and Add-ons

No Data with Version 3.0 of Palo App and Version 5.0.2 of Splunk

groozmarc
New Member

Hi ,

I installed the palo alto app on a fresh splunk. followed the instructions in the readme and saw Events coming from the PA firewall. But PAN Overview didn't show any counter or the Google Map(Waiting fpr search to complete). If i go to detailed tabs there are only the timeline no details. Is that all the app could do?

0 Karma

monzy
Communicator

when you say you saw events coming in from the PA firewall, do you mean that you saw those events in Splunk ? are those events going to the pan_logs index ?

what happens when you run this search from the search bar:
index=pan_logs | head 100

what is the timestamp of the latest event ?

0 Karma

groozmarc
New Member

after i use chrome i see the raw data and all the other informations!!! With Firefox 17 no chane.

now i see nice bars in threat dashboard but in PAN Threat Collected i see only count 8 and no other information.

0 Karma

monzy
Communicator

it is peculiar that you aren't seeing anything other than the timeline. you should be seeing the raw results when you ran your search. the app doesn't do anything to conceal the raw results. what browser and OS are you using ? have you closed all browser windows ?

have you looked at any of the other views beyond the main page ? e.g. traffic overview page or any of the content pages.

also, when you go to the search app -> status -> server activity -> spunkd acitivity overview do you see any errors ? if so, are those errors related to the Palo Alto app ?

0 Karma

groozmarc
New Member

sorry. i wanted to say add it also to indexes

0 Karma

groozmarc
New Member

PA-5000 and with the admin account. I only see the timeline no more details.

I installed the following apps:

MAXMIND MAXMIND 1.0.6
Splunk for use with AMMAP amMap
Google Maps maps 1.1.2

in Manager » Access controls » Roles » admin
i add "Indexes searched by default" -> pan_logs and add it also to pan_logs

0 Karma

monzy
Communicator

are you logging into splunk with an admin account ? or some other user account ?

0 Karma

monzy
Communicator

is the time correct for your timezone ? also, when you say, 'details beyond' you mean that you see raw data, and the google maps etc are all blank. the main, overview page, runs a realtime 5 minute window. if your clock isn't synched or if you dont have appropriate permissions for the index or if you don't have the appropriate apps installed, you won't see any results.

what kind of PA firewall do you have ?

0 Karma

groozmarc
New Member

Yes i saw those events in Splunk. I think they go to the pan_logs:

splunk>Manager>>Indeces:

pan_logs 500,000 None 1 1,522 Feb 27, 2013 10:08:41 AM Feb 28, 2013 9:29:10 AM /opt/splunk/var/lib/splunk/pan_logs/db SplunkforPaloAltoNetworks

the Output of the search :

100 events from 8:31:00 AM to 9:31:09 AM on Thursday, February 28, 2013

But again i only the the timeline and not details beyond.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...