Re: Missing Detailed information

dpirolotvc · ‎10-24-2013

Using version 3.4 on Splunk 5.140868

I have our PA data correctly being indexed to Pan_Logs, data seems to correctly be categorized into the correct sourcetypes and the dashboards are working as expected, however when I click on any of the charts, or click "Threat Details" to get more granular data, the results are empty. The macro pan_threat does return data.

Also, when I click "View Full Report" it looks like it's searching for * within all the indexes on our server. That doesn't sound right.

We are sending everything over (url, threat, system, config) except traffic since that's a bit of a data hog. Is there something I'm missing to get the details working? Does it rely on the traffic data? I'm assuming the Threat Details might as it says "This dashboard provides additional detail on traffic generated by activities related to threats."

bbsoc · ‎10-25-2013

It does rely on traffic data as the results look for the Bytes field, which is not present in the threat logs. What I did is referenced in the other question I posed: http://answers.splunk.com/answers/107426/unable-to-see-threat-details-can-still-see-traffic-logs

Note that you must place '| dedup Session' at the end of the macro so that it doesn't return extra results. Forgot to mention that there.

It's a sloppy way to go about doing it but it's effective and sufficient for what we need for now, but I'm sure that there is a better way to go about it.

Missing Detailed information

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases