All Apps and Add-ons

Dashboards not populating other than main Palo Alto Network Overview Dash

lbogle
Contributor

I recall we had this issue last time during the POC for PAN, but I don’t recall what the fix was.
I also disabled Splunk Enterprise Security to see if there was some sort of resource conflict but there appeared not to be.
When I checked the Palo Alto Networks Logs Data Models and then checked the Pivots and tried to build a table, I received the following errors:
[lab-splunk] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-ap] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-eu] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-sj] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
If I ran a Pivot in “Network Traffic” I received no errors.

I also followed the below solution with no change in status.
http://answers.splunk.com/answers/138840/only-the-overview-dashboard-has-data-pan-app-v4-1-1-splunk-...
with no change in status

Palo Alto Networks Logs
This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.
MODEL
Objects
17 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
Building
Access Count
0. Last Access: 1969-12-31T16:00:00-08:00
Size on Disk
0.00MB
Summary Range
31536000
Buckets
0

Waited a couple hours, restarted Splunk search head. Tried switching between PAN_index and PAN_logs per the instructions with no change in status.

PAN Logs are otherwise searchable and are showing up correctly it appears. Clocks between PAN FW's and Splunk app are within minutes of one another.

Configured PAN App using these instructions:
https://live.paloaltonetworks.com/docs/DOC-6593

0 Karma
1 Solution

lbogle
Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

View solution in original post

0 Karma

lbogle
Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

0 Karma

btorresgil
Builder

Looks like the Datamodel is stuck in Building status. To start, I recommend upgrading to the latest version of the app, 4.1.2, which has the fix you mentioned for the Datamodel. Then remove any changes to the data model by deleting the directory SplunkforPaloAltoNetworks/local/data/models. Then restart Splunk and rebuild the data model by clicking the 'rebuild' button. That should cause the data to accelerate and the dashboards to populate.

Also ensure that you've installed the app on your search heads and indexers and that the 'pan_logs' index exists and contains your firewall logs.

lbogle
Contributor

Just FYI, the build (after letting it run over the weekend is now 18%.

0 Karma

lbogle
Contributor

HI Brian,
Did this last Friday Night and dashboards started populating and building. The data model seems to have gotten stuck under 10%. Dashboards started disappearing and it looks like data stopped being processed in the dash, though the logs are still updating properly properly.
Any other suggestions?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...