topic Re: Palo Alto Networks App for Splunk - Dashboards just stopped working in All Apps and Add-ons

Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Wed, 22 Mar 2017 23:13:39 GMT

Hello. I've been running this app within Splunk for a few months. I have two PANs sending syslog feeds and am capturing just about everything. All severities and URLs. The traffic and threat dashboards were populating just fine and then I open them up today and BAM. Nothing. I haven't changed a thing on either the PANs or the Splunk server. Any thoughts as to what might cause this?
The first graph in traffic is "bytes transferred over time". It just says "Search is waiting for input" and when I click on the little "i" it says "Unknown sid".

Thanks in advance!

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Thu, 23 Mar 2017 02:00:40 GMT

Did you see troubleshooting?
Please read the data model part.

http://pansplunk.readthedocs.io/en/latest/troubleshoot.html

Check acceleration settings in the data model under Settings > Data Model > and fine the Palo Alto Networks datamodels. (There may be 1 or 3 datamodels depending on the App version)

Settings>Data models>Palo Alto Networks FirewallLogs
ACCELERATION>Rebuild

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Thu, 23 Mar 2017 22:35:09 GMT

Thanks for your response, HiroshiSatoh!

I followed all troubleshooting methods contained in the link you provided. The times are synced on the PAN and the Splunk, the config files are correct, the acceleration settings for the 3 models related to the app is correct. The logs are coming in, appear to be correct. The search "eventtype=pan" produces logs coming in, in real-time. The overview dashboard is populated, as are every other one. So, I'm still stuck with the Traffic and Threat dashboards not populating.

Thoughts?

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Fri, 24 Mar 2017 03:46:36 GMT

The overview dashboard searches direct logs, but Traffic and Threat dashboards uses a data model.
How about rebuilding the data model?

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Fri, 24 Mar 2017 04:49:54 GMT

Ok. That's new to me but I will look it up.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Fri, 24 Mar 2017 21:01:53 GMT

Hello. I've rebuilt all of the data models and the dashboards are still not populating. I've set the time value to "all time" and am not seeing anything. Please let me know what else I should try.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Fri, 24 Mar 2017 21:03:22 GMT

Hello. I've rebuilt all of the data models and the dashboards are still not populating. I've set the time value to "all time" and am not seeing anything. Please let me know what else I should try.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Tue, 29 Sep 2020 13:21:25 GMT

Can I search with this search sentence? Is field extraction done?

index=XXX (Sourcetype = pan_traffic OR sourcetype = pan: traffic)

※Field definition↓
[extract_traffic]
DELIMS = ","
FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dest_ip","src_translated_ip","dest_translated_ip","rule","src_user","dest_user","app","virtual_system","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dest_port","src_translated_port","dest_translated_port","flags","protocol","action","bytes","bytes_out","bytes_in","packets","start_time","duration","category","future_use4","sequence_number","action_flags","src_location","dest_location","future_use5","packets_out","packets_in","session_end_reason","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_host","action_source"

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Mon, 27 Mar 2017 20:41:50 GMT

Index=main sourcetype="pan:traffic" yields many results.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Mon, 27 Mar 2017 20:42:18 GMT

http://imgur.com/X6dvs85

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Tue, 28 Mar 2017 13:00:48 GMT

It is caused by failing to ACCELERATION the data model and create the summary.
I do not recommend it, but I think that it will be displayed if you change the search macro.

summariesonly=t
↓

summariesonly=f

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Tue, 28 Mar 2017 19:41:40 GMT

I'm sorry, I don't understand your recommendation. Are there any log files that might give me more information? Should I consider uninstalling and reinstalling the Palo Alto addon? Please let me know how we can try to move forward. I need to get those dashboards running as soon as possible and I don't want to lose any data in the meantime.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Tue, 28 Mar 2017 22:25:03 GMT

Also, if you could add as many things to try as possible in the next thread that would be much appreciated. I'm coming up on a deadline here.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Tue, 29 Sep 2020 13:25:17 GMT

I think that it is caused by insufficient memory and can not ACCELERATION.

Can I execute this search statement?

|tstats summariesonly=f sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

Panel「Bytes Transfered Over Time」search sentence.

summariesonly=t
↓
summariesonly=f

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Wed, 29 Mar 2017 17:20:18 GMT

I had to switch to verbose mode, but that search worked.

http://imgur.com/a/mzS5Q

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Wed, 29 Mar 2017 17:42:40 GMT

and what does this mean at the end of each of your transmissions?

"summariesonly=t
↓
summariesonly=f"

Where am I supposed to find that?

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

HiroshiSatoh — Tue, 29 Sep 2020 13:25:55 GMT

You can change it from here.
Settings>Advanced search>Search macros
・_pan_dropdown(2)
・_pan_ep_dropdown(2)
・pan_tstats

※But this is a workaround. It is not a root cause solution.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Thu, 30 Mar 2017 15:12:33 GMT

Ok. Did you see my previous responses? The Bytes Transfered Over Time search worked just fine. I also watched my working memory on the server while I brought up the Traffic Dashboard. There was plenty of available RAM on the server.
Next thoughts, please? Since I'm only able to get one response per day, please put as many things to try as possible in your responses.

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Thu, 30 Mar 2017 17:20:34 GMT

I changed the search macros to "summariesonly=f". Traffic dashboard still does not work

Re: Palo Alto Networks App for Splunk - Dashboards just stopped working

BrendanCO — Tue, 29 Sep 2020 13:26:07 GMT

I put in the following query, copied directly from your source code in the Traffic Dashboard:
| pan_tstats sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM node(log.traffic.end) $action$ $src_ip$ $dest_ip$ $dest_port$ "$user|s$" $app$ groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"

I get this error:

Error in 'TsidxStats': WHERE clause is not an exact query