https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515322#M63102 <P>Hi R<SPAN>ichgalloway,</SPAN></P><P>Thanks for your reply.</P><P>Nothing happens when I enabled the acceleration of all the datamodels and they build 100%.</P><P>thanks,</P> Thu, 20 Aug 2020 22:43:42 GMT ssharma09 2020-08-20T22:43:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515108#M63100 <P>I can't see any dashboard showing numbers (data) in Palo Alto App.</P> <P>- App version 6.1.1 &amp; TA version 6.1.1</P> <P>- Splunk version 7.2.9</P> <P>- Data is being ingested from Syslog &gt; UF to Splunk Cloud.</P> <P>- Data can be searched at Splunk from sourcetypes: pan:traffic, pan:system, pan:threat</P> <P>- Data model :&nbsp;<SPAN>pan_firewall is accelerated and built 100%. (there was no data in other datamodels so I&nbsp; disabled the acceleration on them)</SPAN></P> <P><SPAN>one of the search query from dashboard : Network Security&nbsp;</SPAN></P> <P><SPAN>| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE<STRONG> nodename</STRONG>="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity</SPAN></P> <P><SPAN>*I'm wondering the field <STRONG>nodename (</STRONG>not found in the datamodel), is being used in many other panels' search query which might be causing the issue. If so, how to fix that?</SPAN></P> <P><SPAN>Please advise. </SPAN></P> <P><SPAN>Thanks</SPAN></P> Fri, 25 Sep 2020 22:41:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515108#M63100 ssharma09 2020-09-25T22:41:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515210#M63101 <P>The Palo Alto app makes extensive use of accelerated datamodels.&nbsp; By turning off accelerations you have disabled some panels.</P><P>The <FONT face="courier new,courier">nodename</FONT> keyword identifies a child within the datamodel rather than a field.</P> Thu, 20 Aug 2020 13:16:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515210#M63101 richgalloway 2020-08-20T13:16:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515322#M63102 <P>Hi R<SPAN>ichgalloway,</SPAN></P><P>Thanks for your reply.</P><P>Nothing happens when I enabled the acceleration of all the datamodels and they build 100%.</P><P>thanks,</P> Thu, 20 Aug 2020 22:43:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515322#M63102 ssharma09 2020-08-20T22:43:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515440#M63111 What do you mean by "nothing happens"? Apparently, something happens if the DMAs are successful.<BR />Do the datamodels have data? No panel will work if there is no data to display. Are the DMs looking in the right indexes? Fri, 21 Aug 2020 12:48:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515440#M63111 richgalloway 2020-08-21T12:48:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515664#M63126 <P>I'm concern about the dashboards which are using DM&nbsp;<SPAN>pan_firewalland it is100% bild and has data in it but still those dashboards are not showing any data.</SPAN></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Sun, 23 Aug 2020 22:55:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515664#M63126 ssharma09 2020-08-23T22:55:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515782#M63130 You may need to debug the dashboard queries. Pick one and copy it into a search window. Delete everything after the first pipe (|) and run the search and verify the results. If it works then add the next pipe and repeat the process until you get no results. The last pipe added likely will be the cause of the problem. Perhaps you don't have a field or value the search expects.<BR />Once you've identified the problem, correct the search to work in your environment. Mon, 24 Aug 2020 13:11:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515782#M63130 richgalloway 2020-08-24T13:11:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515949#M63143 <P>I picked the search</P><P>WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity</P><P>and remove every thing after first pipe : result &gt; no data</P><P>then, I just ran&nbsp; :&nbsp;| tstats summariesonly=t count FROM datamodel="pan_firewall"</P><P>it showed me data.</P> Tue, 25 Aug 2020 07:20:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/515949#M63143 ssharma09 2020-08-25T07:20:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/516019#M63145 <P>The tstats command you ran was partial, but still helpful.&nbsp; It shows there is data in the accelerated datamodel.</P><P>Next, please run the complete tstats command</P><LI-CODE lang="markup">| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name </LI-CODE><P>If that returns no results then I suspect your data is missing one or more of the severity, threat_category, or threat_name fields.&nbsp;</P> Tue, 25 Aug 2020 13:21:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/516019#M63145 richgalloway 2020-08-25T13:21:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/518950#M63408 <P>I'm in the exact same boat, guys. I put in just:</P><P>| tstats summariesonly=t count FROM datamodel="pan_firewall"</P><P>And I get data. When I put in:</P><P>| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name</P><P>I get nothing. I tried adding each argument in from the beginning and it immediately fails at the nodename designation.&nbsp;</P><P>Thoughts?&nbsp;</P> Thu, 10 Sep 2020 20:08:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-App-s-dashboards-not-showing-any-data-App-version-6-1/m-p/518950#M63408 BrendanCO 2020-09-10T20:08:15Z