I am using Splunk for Palo Alto Networks App version 3.0. When viewing the PAN overview I see:
0 PAN Reporting 0 Events 0 Block-URL N/A Top Category
I checked the pan_* sources and we are receiving data from 7 devices.
Has anyone seen this before and how do you correct the issue?
Regards,
Michael
hello Michael,
in your input configuration please verify that your logs are going to the pan_logs index. you can check this by looking at the index field in the field discovery menu. if the index is 'main' or something else, you can check this by going to Manager - data inputs - your respective input ( UDP 514 is the default) - select the box that says More Settings - scroll down and chose the pan_logs index from the drop down.
if this doesn't fix it, please share the model number of your firewall, the os version and perhaps a sample log file. we have tested this app on PAN OS v5.
also, please share your inputs.conf file from $SPLUNK_HOME/etc/app/SplunkforPaloAltoNetworks/local/inputs.conf
Monzy, we are finding that the problem is on one search head and one indexer. The second indexer shows the PAN overview dashboard. Our firewalls are PA 2050s and PA 5050s.
Quite simply, we know we are receiving data from our devices...it's now a parsing/processing issue with only the pan overview dashboard...data is filling in the other dashboards.
Thank you for your help!
Our architecture is 2 search heads 2 indexers and 1 heavy forwarder. The app is installed on the indexers the forwarder and 1 search head. There is no inputs.conf in the ../local/inputs.conf on any of the devices. There are indexes called pan_logs on both indexers but not on the search head or the heavy forwarder. These indexes are receiving data. On the search head there is a index for pan_logs but we disabled this. Any thoughts.