All Apps and Add-ons

Dashboards not populating other than main Palo Alto Network Overview Dash

Contributor

I recall we had this issue last time during the POC for PAN, but I don’t recall what the fix was.
I also disabled Splunk Enterprise Security to see if there was some sort of resource conflict but there appeared not to be.
When I checked the Palo Alto Networks Logs Data Models and then checked the Pivots and tried to build a table, I received the following errors:
[lab-splunk] The search for datamodel 'panlogs' failed to parse, cannot get indexes to search
[splunk-index-ap] The search for datamodel 'pan
logs' failed to parse, cannot get indexes to search
[splunk-index-eu] The search for datamodel 'panlogs' failed to parse, cannot get indexes to search
[splunk-index-sj] The search for datamodel 'pan
logs' failed to parse, cannot get indexes to search
If I ran a Pivot in “Network Traffic” I received no errors.

I also followed the below solution with no change in status.
http://answers.splunk.com/answers/138840/only-the-overview-dashboard-has-data-pan-app-v4-1-1-splunk-...
with no change in status

Palo Alto Networks Logs
This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.
MODEL
Objects
17 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
Building
Access Count
0. Last Access: 1969-12-31T16:00:00-08:00
Size on Disk
0.00MB
Summary Range
31536000
Buckets
0

Waited a couple hours, restarted Splunk search head. Tried switching between PANindex and PANlogs per the instructions with no change in status.

PAN Logs are otherwise searchable and are showing up correctly it appears. Clocks between PAN FW's and Splunk app are within minutes of one another.

Configured PAN App using these instructions:
https://live.paloaltonetworks.com/docs/DOC-6593

0 Karma
1 Solution

Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

View solution in original post

0 Karma

Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

View solution in original post

0 Karma

Builder

Looks like the Datamodel is stuck in Building status. To start, I recommend upgrading to the latest version of the app, 4.1.2, which has the fix you mentioned for the Datamodel. Then remove any changes to the data model by deleting the directory SplunkforPaloAltoNetworks/local/data/models. Then restart Splunk and rebuild the data model by clicking the 'rebuild' button. That should cause the data to accelerate and the dashboards to populate.

Also ensure that you've installed the app on your search heads and indexers and that the 'pan_logs' index exists and contains your firewall logs.

Contributor

Just FYI, the build (after letting it run over the weekend is now 18%.

0 Karma

Contributor

HI Brian,
Did this last Friday Night and dashboards started populating and building. The data model seems to have gotten stuck under 10%. Dashboards started disappearing and it looks like data stopped being processed in the dash, though the logs are still updating properly properly.
Any other suggestions?

0 Karma