I can't see any dashboard showing numbers (data) in Palo Alto App.
- App version 6.1.1 & TA version 6.1.1
- Splunk version 7.2.9
- Data is being ingested from Syslog > UF to Splunk Cloud.
- Data can be searched at Splunk from sourcetypes: pan:traffic, pan:system, pan:threat
- Data model : pan_firewall is accelerated and built 100%. (there was no data in other datamodels so I disabled the acceleration on them)
one of the search query from dashboard : Network Security
| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity
*I'm wondering the field nodename (not found in the datamodel), is being used in many other panels' search query which might be causing the issue. If so, how to fix that?
Please advise.
Thanks
The Palo Alto app makes extensive use of accelerated datamodels. By turning off accelerations you have disabled some panels.
The nodename keyword identifies a child within the datamodel rather than a field.
Hi Richgalloway,
Thanks for your reply.
Nothing happens when I enabled the acceleration of all the datamodels and they build 100%.
thanks,
I'm concern about the dashboards which are using DM pan_firewalland it is100% bild and has data in it but still those dashboards are not showing any data.
I picked the search
WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity
and remove every thing after first pipe : result > no data
then, I just ran : | tstats summariesonly=t count FROM datamodel="pan_firewall"
it showed me data.
The tstats command you ran was partial, but still helpful. It shows there is data in the accelerated datamodel.
Next, please run the complete tstats command
| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name
If that returns no results then I suspect your data is missing one or more of the severity, threat_category, or threat_name fields.
I'm in the exact same boat, guys. I put in just:
| tstats summariesonly=t count FROM datamodel="pan_firewall"
And I get data. When I put in:
| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name
I get nothing. I tried adding each argument in from the beginning and it immediately fails at the nodename designation.
Thoughts?