All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto Networks App for Splunk: Why is the "Threat Subtypes" panel on the "Threat dashboard" showing incomplete data?

vsingla1
Communicator
‎11-17-2015 10:14 AM

On the "Threat Dashboard", under "Threat Subtypes" chart panel, I clicked on the subsearch and below is the search returned:

| `tstats` count FROM `node(log.threat)`    `groupby(_time log.log_subtype)` | timechart values(count) by log_subtype

But this panel/subsearch shows incomplete information. When searching for past 7 days from 11/17, the data is returned for date beyond 11/12. There is no data for date between 11/13 and 11/17. It is really not possible. When I check raw events under sourcetype=pan_threat, I see continuous streaming of data.

Why is data not showing in the panel/dashboard, BUT showing in the raw events?

0 Karma
Reply

btorresgil
Builder
‎11-23-2015 11:27 AM

I can't think of anything in the app itself that would cause this problem. The dashboard leverages the datamodel acceleration features of Splunk 6, so if the datamodel acceleration is not up-to-date, you could find data missing for some time periods. But I find it strange that you see data for time periods you aren't even requesting. One suggestions is to re-install the app, since a customization in the props or transforms might cause the logs needed to populate this panel to be misinterpreted. Another suggestions is to ensure your time and timezones match on all firewalls and Splunk nodes and that the timestamp on the logs is being interpreted correctly by Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...