https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188018#M19032 <P>I opened a case with splunk. The built in data models work but they aren't accelerated. </P> <P>When I turn off acceleration in the PAN App, I don't get the errors from my indexers. Of course the pivots will take forever and the dashboards relay on acceleration so that's useless but at least I can now assume that the problem is data model acceleration.</P> Thu, 19 Jun 2014 00:12:09 GMT dfronck 2014-06-19T00:12:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188015#M19029 <P>I installed the Splunk for Palo Alto Networks app. I am getting data and my index and source types are correct. When I do searches, all the PA fields are getting extracted.</P> <P>However, I only the Overview dashboard works; it displays real-time information.</P> <P>The other dashboards and sub-dashboards under Traffic, Threat, Content and System all say "Search is waiting for input..." and the drop downs all say "Search produced no results."</P> <P>We are using a cluster so the app in installed on the heavy forwarder that receives the logs and a search head that can search all of our indexers.</P> <P>EDIT: Just realized that the heavy forwarder is still running v6.0.3. Maybe that's the issue. Upgrading tonight to find out.</P> Wed, 04 Jun 2014 13:29:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188015#M19029 dfronck 2014-06-04T13:29:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188016#M19030 <P>Didn't get to upgrade the forwarder but I don't see why that would cause an issue anyway.</P> <P>If I use Pivot or go to PAN App search and enter (with back quotes around the search)<BR /> | <CODE>_pan_dropdown(log.traffic.end, log.app)</CODE></P> <P>I get the following error from all of my indexers.</P> <P>[index_server] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search</P> <P>Yet there are 300gb in /opt/splunk/var/lib/splunk/pan_logs/datamodel_summary on all of my indexers.</P> Mon, 28 Sep 2020 16:47:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188016#M19030 dfronck 2020-09-28T16:47:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188017#M19031 <P><STRONG>I don't think this app works if your indexers are clustered.</STRONG> </P> <P>I installed the app on my search head pool, heavy forwarders and indexers. As I stated above, on the search heads, I only get data in the Overview Dashboard.</P> <P>Using the app on the indexers, I get data on all of the dashboards but it's fairly useless because I only get the data that's on that singe indexer in the cluster.</P> Tue, 10 Jun 2014 02:48:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188017#M19031 dfronck 2014-06-10T02:48:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188018#M19032 <P>I opened a case with splunk. The built in data models work but they aren't accelerated. </P> <P>When I turn off acceleration in the PAN App, I don't get the errors from my indexers. Of course the pivots will take forever and the dashboards relay on acceleration so that's useless but at least I can now assume that the problem is data model acceleration.</P> Thu, 19 Jun 2014 00:12:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188018#M19032 dfronck 2014-06-19T00:12:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188019#M19033 <P>Let us know what support says. I am having this same exact issue.</P> Fri, 20 Jun 2014 19:20:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188019#M19033 trademarq 2014-06-20T19:20:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188020#M19034 <P>Trouble shooting with Splunk showed that I can go to the PAN App Search and enter "| datamodel pan_logs" and get results back.</P> <P>I also enabled acceleration on the built in apps and they worked.</P> <P>Support says the problem is in the App.</P> Sat, 28 Jun 2014 23:27:48 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188020#M19034 dfronck 2014-06-28T23:27:48Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188021#M19035 <P>Looking at the search.log on the indexer shows, that the macro can not be found on the indexer:</P> <P>06-30-2014 14:49:08.773 ERROR TsidxStats - Error in 'SearchParser': Could not find macro 'pan_index' that takes 0 arguments. Expecting stanza name 'pan_index'.<BR /> 06-30-2014 14:49:08.773 INFO TsidxStats - Could not obtain a valid set of indexes to search</P> <P>I fixed the problem with modifying the data model root object constraint from "<CODE>pan_index</CODE>" to "index=pan_logs".</P> Mon, 28 Sep 2020 16:57:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188021#M19035 my2ndhead 2020-09-28T16:57:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188022#M19036 <P>Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.</P> <P>If you're having this problem, here are the steps to fix it.</P> <OL> <LI>Go to Data Models for the SplunkforPaloAltoNetworks app.</LI> <LI>Select Edit/Edit Acceleration and turn off acceleration.</LI> <LI>Then click "Palo Alto Networks Logs".</LI> <LI>Edit the "pan_index" constraint.</LI> <LI>Change "<CODE>pan_index" to index=</CODE>pan_logs and save.</LI> <LI>Click "Back to Data Models".</LI> <LI>Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.</LI> </OL> <P>All of the dashboards are working now.</P> Mon, 30 Jun 2014 15:30:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188022#M19036 dfronck 2014-06-30T15:30:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188023#M19037 <P>Thanks for this, but let me add, if you have a search head and multiple indexers, make the change on your search head, re-deploy the updated app to your indexers so they all receive the updated data model.</P> <P>Thanks dfronck - your solution helped!</P> Thu, 03 Jul 2014 20:42:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188023#M19037 emalenfant 2014-07-03T20:42:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188024#M19038 <P>This change is no longer needed in version 4.1.2 and higher. These versions of the Palo Alto Networks app contain the change already.</P> Fri, 10 Oct 2014 23:44:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Only-the-Overview-dashboard-has-data-PAN-App-v4-1-1-Splunk-v6-1/m-p/188024#M19038 btorresgil 2014-10-10T23:44:31Z