All Apps and Add-ons

Dashboards not populating other than main Palo Alto Network Overview Dash

lbogle
Contributor

I recall we had this issue last time during the POC for PAN, but I don’t recall what the fix was.
I also disabled Splunk Enterprise Security to see if there was some sort of resource conflict but there appeared not to be.
When I checked the Palo Alto Networks Logs Data Models and then checked the Pivots and tried to build a table, I received the following errors:
[lab-splunk] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-ap] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-eu] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
[splunk-index-sj] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search
If I ran a Pivot in “Network Traffic” I received no errors.

I also followed the below solution with no change in status.
http://answers.splunk.com/answers/138840/only-the-overview-dashboard-has-data-pan-app-v4-1-1-splunk-...
with no change in status

Palo Alto Networks Logs
This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.
MODEL
Objects
17 Events Edit
Permissions
Shared in App. Owned by nobody. Edit
ACCELERATION
Rebuild Update Edit
Status
Building
Access Count
0. Last Access: 1969-12-31T16:00:00-08:00
Size on Disk
0.00MB
Summary Range
31536000
Buckets
0

Waited a couple hours, restarted Splunk search head. Tried switching between PAN_index and PAN_logs per the instructions with no change in status.

PAN Logs are otherwise searchable and are showing up correctly it appears. Clocks between PAN FW's and Splunk app are within minutes of one another.

Configured PAN App using these instructions:
https://live.paloaltonetworks.com/docs/DOC-6593

0 Karma
1 Solution

lbogle
Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

View solution in original post

0 Karma

lbogle
Contributor

It looks like some data streams are getting sent over into Panorama from the firewalls and then to Splunk and some weren't.
Thanks Brian for the assistance with tracking that down!

0 Karma

btorresgil
Builder

Looks like the Datamodel is stuck in Building status. To start, I recommend upgrading to the latest version of the app, 4.1.2, which has the fix you mentioned for the Datamodel. Then remove any changes to the data model by deleting the directory SplunkforPaloAltoNetworks/local/data/models. Then restart Splunk and rebuild the data model by clicking the 'rebuild' button. That should cause the data to accelerate and the dashboards to populate.

Also ensure that you've installed the app on your search heads and indexers and that the 'pan_logs' index exists and contains your firewall logs.

lbogle
Contributor

Just FYI, the build (after letting it run over the weekend is now 18%.

0 Karma

lbogle
Contributor

HI Brian,
Did this last Friday Night and dashboards started populating and building. The data model seems to have gotten stuck under 10%. Dashboards started disappearing and it looks like data stopped being processed in the dash, though the logs are still updating properly properly.
Any other suggestions?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...