Global protect dashboard empty

Iwdavies · ‎07-08-2021

I have some of the dashboards showing information and some do not. Currently I'm working on getting the global protect dashboard to show information.

While I do see global protect listed in some of the log files while looking at Pan:system; I do not see "log_subtype="globalprotect"".

I do see the following log subtypes:

vpn

general

auth

userid

url-filtering

I unfortunately have no idea how to tell the system how to parse the data for globalprotect.

Ian

richgalloway · ‎07-08-2021

Are you Splunking your Global Protect data? If not, then it will never appear on a dashboard until you do.

It's possible your data is formatted differently from what is expected by the dashboard. That can happen has products change over time. Perhaps log_subtype=vpn is what you need. Clone the dashboard and modify it to fit your data.

---
If this reply helps you, Karma would be appreciated.

Iwdavies · ‎07-09-2021

Unfortunately, the vpn log type is for our point-to-point tunnels and not GlobalProtect 😞

I do see global protect data if I look at the data directly, I just don't see it populating the dashboard .

Ian

richgalloway · ‎07-09-2021

If you can see the data using manual searches then you are halfway there. Clone the GP dashboard and modify it to use your manual searches.

---
If this reply helps you, Karma would be appreciated.

Global protect dashboard empty

dashboard

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio