- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- No data showing on Splunk Palo Alto Networks App
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No data showing on Splunk Palo Alto Networks App
Hi,
I recently installed Splunk (5.0.3 trial version) with Palo Alto Apps version 3.2.1. When I connect to the PA-200 (ver 5.0) and set up PA box to send syslog to Splunk, I cannot see any data showing on the Splunk. I used Wireshark to check there are a lot of syslog traffic that were sent from PA-200 to the laptop that Splunk runs on. In the manager->data inputs->udp->514 config, I have source type: pan_log, host: ip, index: pan_logs.
Is there any reason why I don't see syslog data on Splunk?
Btw,I also checked following: when I go to the search app -> status -> server activity -> spunkd acitivity overview I saw following errors:
07-20-2013 23:26:14.420 -0400 ERROR SearchResults - Unable to open output file: path=C:\Program Files\Splunk\etc\users\admin\search\history\HPSSPTLTP019.csv.tmp error=The process cannot access the file because it is being used by another process.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:\Program Files\Splunk\var\log\splunk\splunkd.log
07-20-2013 23:15:55.602 -0400 ERROR SearchResults - Failed to remove "C:\Program Files\Splunk\etc\users\admin\SplunkforPaloAltoNetworks\history\HPSSPTLTP019.csv.tmp2": The system cannot find the file specified.
host=HPSSPTLTP019 Options|
sourcetype=splunkd Options|
source=C:\Program Files\Splunk\var\log\splunk\splunkd.log Options
Could that be the problem? If so, how do I fix it?
Thanks!
Tina
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey Tina,
I think you have two different issues here. one is probably related to your splunk install and the other may be app related. lets focus on the app one for now.
what happens when you run this search by selecting All Time on the time selector ?
index=pan_logs | head 10
if you see results, ensure that the timestamps of the latest events are reasonably close to the current time in your timezone. the main dashboard is real-time. take a look at the other dashboards. are they empty too ? ensure that you select All Time in the time selector for those events.
if you dont' see logs as a result of this search and your dashboards are empty, ensure that the user you are logged in as, has access to the pan_logs index. you can confirm this by going to Manager, Access Controls, Roles,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you paste your palo alto app's input stanza here please ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
monzy,
First by doing search as you instructed I got no event. then I changed the search indexes section and added pan_logs in the selected search indexes. Restarted the Splunk and still saw no event in the search result.
Tina
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
