All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

dfronck
Communicator
‎06-04-2014 06:29 AM

I installed the Splunk for Palo Alto Networks app. I am getting data and my index and source types are correct. When I do searches, all the PA fields are getting extracted.

However, I only the Overview dashboard works; it displays real-time information.

The other dashboards and sub-dashboards under Traffic, Threat, Content and System all say "Search is waiting for input..." and the drop downs all say "Search produced no results."

We are using a cluster so the app in installed on the heavy forwarder that receives the logs and a search head that can search all of our indexers.

EDIT: Just realized that the heavy forwarder is still running v6.0.3. Maybe that's the issue. Upgrading tonight to find out.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dfronck
Communicator
‎06-30-2014 08:30 AM

Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.

If you're having this problem, here are the steps to fix it.

  1. Go to Data Models for the SplunkforPaloAltoNetworks app.
  2. Select Edit/Edit Acceleration and turn off acceleration.
  3. Then click "Palo Alto Networks Logs".
  4. Edit the "pan_index" constraint.
  5. Change "pan_index" to index=pan_logs and save.
  6. Click "Back to Data Models".
  7. Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.

All of the dashboards are working now.

View solution in original post

Reply
Solved! Jump to solution

emalenfant
Explorer
‎07-03-2014 01:42 PM

Thanks for this, but let me add, if you have a search head and multiple indexers, make the change on your search head, re-deploy the updated app to your indexers so they all receive the updated data model.

Thanks dfronck - your solution helped!

0 Karma
Reply
Solved! Jump to solution
Solution

dfronck
Communicator
‎06-30-2014 08:30 AM

Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.

If you're having this problem, here are the steps to fix it.

  1. Go to Data Models for the SplunkforPaloAltoNetworks app.
  2. Select Edit/Edit Acceleration and turn off acceleration.
  3. Then click "Palo Alto Networks Logs".
  4. Edit the "pan_index" constraint.
  5. Change "pan_index" to index=pan_logs and save.
  6. Click "Back to Data Models".
  7. Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.

All of the dashboards are working now.

Reply
Solved! Jump to solution

btorresgil
Builder
‎10-10-2014 04:44 PM

This change is no longer needed in version 4.1.2 and higher. These versions of the Palo Alto Networks app contain the change already.

0 Karma
Reply
Solved! Jump to solution

my2ndhead
SplunkTrust
SplunkTrust
‎06-30-2014 05:58 AM

Looking at the search.log on the indexer shows, that the macro can not be found on the indexer:

06-30-2014 14:49:08.773 ERROR TsidxStats - Error in 'SearchParser': Could not find macro 'pan_index' that takes 0 arguments. Expecting stanza name 'pan_index'.
06-30-2014 14:49:08.773 INFO TsidxStats - Could not obtain a valid set of indexes to search

I fixed the problem with modifying the data model root object constraint from "pan_index" to "index=pan_logs".

0 Karma
Reply
Solved! Jump to solution

dfronck
Communicator
‎06-28-2014 04:27 PM

Trouble shooting with Splunk showed that I can go to the PAN App Search and enter "| datamodel pan_logs" and get results back.

I also enabled acceleration on the built in apps and they worked.

Support says the problem is in the App.

0 Karma
Reply
Solved! Jump to solution

trademarq
Explorer
‎06-20-2014 12:20 PM

Let us know what support says. I am having this same exact issue.

0 Karma
Reply
Solved! Jump to solution

dfronck
Communicator
‎06-18-2014 05:12 PM

I opened a case with splunk. The built in data models work but they aren't accelerated.

When I turn off acceleration in the PAN App, I don't get the errors from my indexers. Of course the pivots will take forever and the dashboards relay on acceleration so that's useless but at least I can now assume that the problem is data model acceleration.

0 Karma
Reply
Solved! Jump to solution

dfronck
Communicator
‎06-09-2014 07:48 PM

I don't think this app works if your indexers are clustered.

I installed the app on my search head pool, heavy forwarders and indexers. As I stated above, on the search heads, I only get data in the Overview Dashboard.

Using the app on the indexers, I get data on all of the dashboards but it's fairly useless because I only get the data that's on that singe indexer in the cluster.

0 Karma
Reply
Solved! Jump to solution

dfronck
Communicator
‎06-05-2014 04:15 AM

Didn't get to upgrade the forwarder but I don't see why that would cause an issue anyway.

If I use Pivot or go to PAN App search and enter (with back quotes around the search)
| _pan_dropdown(log.traffic.end, log.app)

I get the following error from all of my indexers.

[index_server] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search

Yet there are 300gb in /opt/splunk/var/lib/splunk/pan_logs/datamodel_summary on all of my indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top