https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161865#M15071 <P>Logs are being parsed correctly. </P> <P>Here's what I have for acceleration. I have three Data Models, all are enabled for Data Acceleration and all are set for one year</P> <P>When you look at the details, here's what I have:</P> <P>Palo Alto Networks Endpoint Logs<BR /> MODEL</P> <P>Objects<BR /> 5 Events Edit <BR /> Permissions<BR /> Shared in App. Owned by nobody. Edit </P> <P>ACCELERATION<BR /> Rebuild Update Edit</P> <P>Status<BR /> 100.00% Completed <BR /> Access Count<BR /> 0. Last Access: 1969-12-31T19:00:00-05:00<BR /> Size on Disk<BR /> 1.20MB<BR /> Summary Range<BR /> 31536000<BR /> Buckets<BR /> 49<BR /> Updated<BR /> 2015-09-04T11:21:34-04:00</P> <P>Palo Alto Networks Firewall Logs<BR /> This datamodel represents all the syslogs produced by Palo Alto Networks Next-generation Firewalls and Panorama. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.<BR /> MODEL</P> <P>Objects<BR /> 16 Events Edit <BR /> Permissions<BR /> Shared in App. Owned by nobody. Edit </P> <P>ACCELERATION<BR /> Rebuild Update Edit</P> <P>Status<BR /> 100.00% Completed <BR /> Access Count<BR /> 165. Last Access: 2015-09-04T09:30:29-04:00<BR /> Size on Disk<BR /> 3898.07MB<BR /> Summary Range<BR /> 31536000<BR /> Buckets<BR /> 49<BR /> Updated<BR /> 2015-09-04T11:21:22-04:00</P> <P>(we are not using Wildfire)</P> <P>So acceleration is enabled, the build is at 100%. </P> <P>are there any other steps I'm missing?</P> Fri, 04 Sep 2015 15:30:04 GMT reswob4 2015-09-04T15:30:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161862#M15068 <P>I am not receiving any information on any of the subdashboards. The Overview dashboard (seems to) works just fine. </P> <P>For example, the Threat Dashboard is blank. Putting in a source IP still draws a blank even though a search of "* sourcetype=pan_threat x.x.x.x| table _time,threat_name, severity" within the app gets results.</P> <P>Clicking on one of the dashboards give the following search: </P> <P>| <CODE>tstats</CODE> count FROM <CODE>node(log.threat)</CODE> <CODE>groupby(_time log.log_subtype)</CODE> | timechart values(count) by log_subtype</P> <P>But that returns nothing. Looking at the definitions of the macros shows:</P> <P><CODE>tstats</CODE> =&gt; tstats summariesonly=t and searching those terms doesn't return anything. And how does a macro refer to itself?</P> <P><CODE>node(1)</CODE> =&gt; datamodel="pan_firewall" WHERE nodename="$nodename$" and searching for datamodel="pan_firewall" doesn't return anything either.</P> <P>At this point I figured I'd ask on the forums rather than individually troubleshoot each term/macro/search to find out if there is an overall fix or what. </P> <P>It seems that most of the dashboards rely on the 'tstats' macro, but that macro doesn't seem to work anywhere. </P> <P>Suggestions?</P> Tue, 29 Sep 2020 06:55:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161862#M15068 reswob4 2020-09-29T06:55:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161863#M15069 <P>Hello,</P> <P>The tstats macro refers to the tstats command, not the macro itself. There is nothing wrong with the macro configuration.</P> <P>The dashboards use the tstats command to pull data from an accelerated data model. If there is no data showing up in the dashboard, then the data is most likely not being accelerated by the datamodel. Make sure you are on the latest version of the app, and that the datamodels that come with the app are accelerated.</P> <P>Here is a troubleshooting guide to help you figure out what the dashboards are not populating:<BR /> <A href="https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Splunk-for-Palo-Alto-Networks/ta-p/54261">https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Splunk-for-Palo-Alto-Networks/ta-p/54261</A></P> <P>(see Troublshooting Steps near the bottom of that page)</P> Tue, 01 Sep 2015 16:41:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161863#M15069 btorresgil 2015-09-01T16:41:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161864#M15070 <P>We are on the latest version.<BR /> I already went through those tips.<BR /> I checked and the data model is being accelerated.</P> Tue, 01 Sep 2015 19:49:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161864#M15070 reswob4 2015-09-01T19:49:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161865#M15071 <P>Logs are being parsed correctly. </P> <P>Here's what I have for acceleration. I have three Data Models, all are enabled for Data Acceleration and all are set for one year</P> <P>When you look at the details, here's what I have:</P> <P>Palo Alto Networks Endpoint Logs<BR /> MODEL</P> <P>Objects<BR /> 5 Events Edit <BR /> Permissions<BR /> Shared in App. Owned by nobody. Edit </P> <P>ACCELERATION<BR /> Rebuild Update Edit</P> <P>Status<BR /> 100.00% Completed <BR /> Access Count<BR /> 0. Last Access: 1969-12-31T19:00:00-05:00<BR /> Size on Disk<BR /> 1.20MB<BR /> Summary Range<BR /> 31536000<BR /> Buckets<BR /> 49<BR /> Updated<BR /> 2015-09-04T11:21:34-04:00</P> <P>Palo Alto Networks Firewall Logs<BR /> This datamodel represents all the syslogs produced by Palo Alto Networks Next-generation Firewalls and Panorama. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.<BR /> MODEL</P> <P>Objects<BR /> 16 Events Edit <BR /> Permissions<BR /> Shared in App. Owned by nobody. Edit </P> <P>ACCELERATION<BR /> Rebuild Update Edit</P> <P>Status<BR /> 100.00% Completed <BR /> Access Count<BR /> 165. Last Access: 2015-09-04T09:30:29-04:00<BR /> Size on Disk<BR /> 3898.07MB<BR /> Summary Range<BR /> 31536000<BR /> Buckets<BR /> 49<BR /> Updated<BR /> 2015-09-04T11:21:22-04:00</P> <P>(we are not using Wildfire)</P> <P>So acceleration is enabled, the build is at 100%. </P> <P>are there any other steps I'm missing?</P> Fri, 04 Sep 2015 15:30:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161865#M15071 reswob4 2015-09-04T15:30:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161866#M15072 <P>Here's an update. Currently, this is partially working. To be clear, the Palo Alto was sending the logs to indexerA and I was using the SH (I only have one) to view the events. Both the indexer and the SH have the PA app installed. Initially, the dashboards were not working on either indexerA or the SH. Then, during troubleshooting on IndexerA, the Threat dashboard and the Traffic dashboard started showing events, but not the Content dashboard. On the SH, still nothing. After some further back and forth with PA tech support, I had to move on.</P> <P>So consider this thread closed for now.</P> Tue, 22 Sep 2015 20:17:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161866#M15072 reswob4 2015-09-22T20:17:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161867#M15073 <P>I downvoted this post because helpful, but the end result indicated no ultimate solution.</P> Tue, 08 Nov 2016 16:49:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/All-Sub-Dashboards-are-blank-why/m-p/161867#M15073 abeeber_splunk 2016-11-08T16:49:10Z