topic Re: Palo Alto Networks App Dashboards not populating in All Apps and Add-ons

Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 14:41:56 GMT

if I run the following search, I get records: index="pan" host="*"

none of the dashboards show any info

what could cause this?

Re: Palo Alto Networks App Dashboards not populating

sainag_splunk — Tue, 17 Jun 2025 15:15:47 GMT

@heathramos Your dashboard isn't populating because it's looking for data in places that don't exist in your environment.

The main culprit is probably the p_index macro. Your dashboard is using `p_index` but this macro either doesn't exist or isn't pointing to the right place. Go to Settings > Advanced Search > Search Macros and see if you have one called p_index. If not, create it. If yes, make sure it's set to your actual Palo Alto index.

tip: When you're in the Search app, you can Cmd+Shift+E (Mac) or Ctrl+Shift+E (Windows) to expand macros in your search and see what they actually resolve to. This will show you exactly what `p_index` is doing.

Second issue - sourcetype mismatch. The dashboard expects sourcetype="pan:xdr_incident" but your data probably has a different sourcetype. Run this to see what you actually have:

index=pan | stats count by sourcetype

Quick test: Try running the base search manually with your actual values instead of the tokens. Replace $severity$ with * and see if you get any results.

The dashboard is basically looking for some field names like incident_id, severity, status etc. If your XDR data doesn't have these exact field names, nothing will show up.

Most of these Palo Alto app dashboards assume you've configured everything exactly as Palo Alto intended, but real environments are messier. You'll probably need to either:

Fix your data inputs to match what the dashboard expects, OR
Edit the dashboard searches to match your actual data structure

Start with that macro expansion trick and sourcetype check - those are usually the smoking guns.

Good luck!

If this Helps, Please Upvote.

Re: Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 15:29:39 GMT

I don't see p_index

When I create it, how exactly do I configure it?

What do I put under definition?

Re: Palo Alto Networks App Dashboards not populating

livehybrid — Tue, 17 Jun 2025 15:48:55 GMT

Hi @heathramos

It sounds like you havent installed Splunk Add-on for Palo Alto Networks - You need this in addition to the Splunk App for Palo Alto Networks because the Add-on contains all the macros that the dashboards in the app use, such as p_index, pan_tstats, pan_summariesonly and pan_logs.

Please install this and hopefully this should resolve the issue, once installed check the p_index - by default this is "index=pan*" so if your index is called "pan" then the default should be fine.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 16:27:08 GMT

I checked and it was installed but not running the latest version

updated the pan app and pan add-on to the latest version but dashboards still don't work

Re: Palo Alto Networks App Dashboards not populating

livehybrid — Tue, 17 Jun 2025 20:03:24 GMT

Hi @heathramos

Okay so this is installed, you should be able to see the macros in them - Are you able to see any of the previously mentioned macros when in the app?

Re: Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 20:10:24 GMT

I see a pan_index macro among others

Re: Palo Alto Networks App Dashboards not populating

sainag_splunk — Tue, 17 Jun 2025 20:10:57 GMT

@heathramos

Since the p_index macro doesn't exist, here's how to dig into the dashboard and fix it:

Edit the dashboard directly:

Go to your dashboard
Click the Edit button (top right)
Click on each panel/visualization that's not showing data
Click Edit Search for each one magnifying glass
You'll see searches that start with `p_index` sourcetype="pan:xdr_incident"

Replace the macro with your actual index:

Change `p_index` to index=pan (or whatever your actual Palo Alto index is called)
So the search becomes: index=pan sourcetype="pan:xdr_incident"

Do this for every search in the dashboard. There are probably 8-10 different searches based on your dashboard config.

While you're in there, also check:

Does sourcetype="pan:xdr_incident" match your actual data? Run index=pan | stats count by sourcetype first to confirm
If your sourcetype is different (like pan:incident or cortex:xdr), update those too

Re: Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 20:22:00 GMT

I see searches like the following:

| tstats summariesonly=t values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(count) AS count values(app) AS app values(category) AS category BY dest_name
| table dest_name app category count
| sort -count

Re: Palo Alto Networks App Dashboards not populating

sainag_splunk — Tue, 17 Jun 2025 20:41:32 GMT

@heathramos

yeah this is going to be a fun one.

You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with parent/child datasets that need to be built and accelerated properly - it's a whole thing.

Looking at that search, it's trying to pull from datamodel=pan_firewall with specific node relationships. If that's not set up right (or at all), nothing's going to work. And troubleshooting data models means digging into dataset structures, field mappings, acceleration status - it's honestly not a quick fix.

If you need this dashboard working soon and it's important to the business, you might want to just work with Splunk ondemand services. They can sort out your data models properly instead of you spending days figuring out why the acceleration isn't working or why the field extractions are wrong.

If you want to try, spend some time in Settings > Data Models, checking what's actually there vs what the dashboard expects. You'll probably end up either rebuilding data models from scratch or rewriting all these tstats searches to use regular SPL.

It's more like -audit your entire Palo Alto data ingestion and modeling setup.

If this Helps Please Upvote.

Re: Palo Alto Networks App Dashboards not populating

heathramos — Tue, 17 Jun 2025 20:48:39 GMT

that's for the help

I will play with the data model when I have time

I noticed parts were giving any records in the preview unless I manually added the index.

I tried adding the index to various steps and enabling acceleration but it still didn't work

Re: Palo Alto Networks App Dashboards not populating

heathramos — Wed, 18 Jun 2025 13:35:41 GMT

FYI

It looks like the dashboards are now working

changing the datamodel at every step and adding the index reference fixed the issue

thanks for the help

Re: Palo Alto Networks App Dashboards not populating

sainag_splunk — Wed, 18 Jun 2025 13:41:57 GMT

@heathramos Thanks for the update, glad it worked out.