All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto for Splunk error.

flanny16
New Member
‎06-18-2013 12:28 PM

Here is what I am trying to accomplish. We have our wireless controllers forwarding syslog information to splunk, this works quite well.
I now want Splunk to forward part of the syslog message(user name and IP address) to our Palo Alto panorama virtual machine(10.0.2.10) which in turn will send it off to our Palo Alto firewall.
When I run the following search in the Palo Alto app I get an error

index=main sourcetype=syslog rename "user account" AS addruser | rename "IP address" AS addrip | panupdate device=”10.0.2.10” devicegroup=”PA-grp”

the error I get is --> External search command 'panupdate' returned error code -1.

can someone add any insight.

thanks in advance,
GMF

0 Karma
Reply

Valky
Explorer
‎06-23-2013 06:12 AM

I got the same and I figured out why (Unfortunatly i still got a problem). You need to manage your fields. First click on field transformation an add respectivly addrip and adduser with the good regex to extract them from your log session. Then go to your field extraction and do the same. Now you can do your search. Be carefull you need to have a unique IP address for each user. If your search is empty with no user or no Ip address you will have the same error.
But When I check on the Panorama, I got IP adress for both name and adress. I am still locking for why but I have realy have no idea cause all configuration is Ok....

0 Karma
Reply

monzy
Communicator
‎06-18-2013 12:54 PM

hey GMF,

did you configure a user name and password for your panorama when you installed the app ? also, there might be more info about this error in $SPLUNK_HOME/var/log/splunk/python.log.

0 Karma
Reply

monzy
Communicator
‎06-24-2013 12:38 PM

yes. the rename is required. i would suggest that you ensure that your syslog source events your wireless controller have fields called "user account" and "IP address". if they are called something different, you will have to specify those fields.

0 Karma
Reply

flanny16
New Member
‎06-24-2013 12:10 PM

your are correct. it was a typo
here is the command
index=main sourcetype=syslog | rename "user account" AS addruser | rename "IP address" AS addrip | panupdate device=”10.0.2.10” devicegroup=”PA-grp”

Our wireless controller detects "user account" and 'IP Address" I was told the rename is required to translate into something the panupdate will understand. Is this correct?

/GMF

0 Karma
Reply

monzy
Communicator
‎06-20-2013 10:33 PM

i think there is an unintended rename in the search command you posted. snipping up to the first pipe:

index=main sourcetype=syslog rename "user account" AS addruser |

your initial search is essentially looking for the term 'rename' in the log event itself. this is probably an unlikely occurrence in the log event. if so, the search doesn't really return anything. as a result, we don't really pass anything to panupdate.

that said, i agree, that panupdate should emit a better error message.

0 Karma
Reply

flanny16
New Member
‎06-19-2013 06:44 AM

Yes, I followed instructions on here and have added the username and password, thanks.
The full error is too large to post here but in a nutshell I have added quotes ' at the beginning and the end.

'URLError: '

thanks, great app regardless.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...