topic Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview? in All Apps and Add-ons

Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Mon, 08 Aug 2016 19:47:34 GMT

I set up the Palo Alto Networks App for Splunk, but all of the dashboards are blank except for the overview. The firewall is configured to send the log data via syslog (not using 514 as it is already being used). I verified that I am getting traffic, threat, configuration log data, however, none of the dashboards are populating with new data other than the overview dashboard.

I verified that I am getting new log data by running pan_traffic and pan_threat and selecting a 30 second time Window for real-time.

I had this issue with 5.1.x and I upgraded to 5.2.0 since I had recently upgraded the PANOS (TA is at version 3.6.1), but the dashboards are still empty. I was prompted to set the app back up after the upgrade, but everything needed was already in the configuration file so I just clicked save. Same results, Overview works, but none of the other dashboards.

Versions:
Splunk: 6.3.3
PAN App: 5.2.0
TA: 3.6.1

Thanks,
Sean

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

panguy — Mon, 08 Aug 2016 23:07:56 GMT

Hi Sean,

Have you tried going through the troubleshooting guide?

http://pansplunk.readthedocs.io/en/latest/troubleshoot.html

Thanks,

Paul

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 16:06:14 GMT

Yes. I checked the accelerated reports and confirmed that they were each (3) were at 100%. I chose to rebuild them in case something went wrong the first go. They have not finished yet.

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 17:23:12 GMT

The reports finished but i am still not getting results. I did find that if I change the time range to all time I get results from last year. I had to stopped forwarding data from our firewall due to license over run, which is no longer an issue.

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

panguy — Tue, 29 Sep 2020 10:34:09 GMT

Did you add

no_appending_timestamp = true

in inputs.conf UDP stanza?

Can you also confirm clocks and timezones on the firewall and splunk server are the same.

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

kbrown_splunk — Tue, 09 Aug 2016 18:08:22 GMT

Please confirm that your sourcetypes are correct. They should start with pan:
See:

http://pansplunk.readthedocs.io/en/latest/getting_started.html#step-3-create-the-splunk-data-input

Also check to see if you have the your role "Indexes to search by default" with the paloalto index selected.

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 18:45:41 GMT

The index is in the list of indexes to search and my inputs.conf file is as needed:

[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 18:49:04 GMT

inputs:

[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true

Both are in the right time zone and are showing the same time.

I checked out splunkd.log and found:

08-09-2016 14:22:30.545 -0400 ERROR FrameworkUtils - Incorrect path to script: /.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py.  Script must be located inside $SPLUNK_HOME/bin/scripts.
08-09-2016 14:22:30.545 -0400 ERROR ExecProcessor - Ignoring: "'/.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py'

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

kbrown_splunk — Tue, 09 Aug 2016 18:50:36 GMT

so if you search with just sourcetype=pan:log
you get events?
and those events have the expected fields?

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 18:55:43 GMT

I get events. 3,602,097 events (Partial results for before 8/9/16 2:52:38.000 PM) ( I stopped the search)

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

kbrown_splunk — Tue, 09 Aug 2016 18:59:13 GMT

Are they parsed correctly meaning you see the expected fields?
Next thing to try will be to look at the dashboard panel, move your mouse to the left bottom, an icon should appear to allow you to run the search. Take a look at that search to determine where the issue is. If the icon is not there then look at the job inspector to find the search it is running to fill the panel.

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

seanbarbour — Tue, 09 Aug 2016 19:25:09 GMT

Search terms:

None | tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

Here is the search:

| tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

agehring4823 — Tue, 23 Aug 2016 20:06:02 GMT

I checked the acceleration on my install, as well. It was only at 32% so I started a rebuild.

when the rebuild reached ~75% the other dashboards starting working; However, it is now at 98.63% and the other dashboards have stopped working again...