All Apps and Add-ons

Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

dfronck
Communicator

I installed the Splunk for Palo Alto Networks app. I am getting data and my index and source types are correct. When I do searches, all the PA fields are getting extracted.

However, I only the Overview dashboard works; it displays real-time information.

The other dashboards and sub-dashboards under Traffic, Threat, Content and System all say "Search is waiting for input..." and the drop downs all say "Search produced no results."

We are using a cluster so the app in installed on the heavy forwarder that receives the logs and a search head that can search all of our indexers.

EDIT: Just realized that the heavy forwarder is still running v6.0.3. Maybe that's the issue. Upgrading tonight to find out.

0 Karma
1 Solution

dfronck
Communicator

Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.

If you're having this problem, here are the steps to fix it.

  1. Go to Data Models for the SplunkforPaloAltoNetworks app.
  2. Select Edit/Edit Acceleration and turn off acceleration.
  3. Then click "Palo Alto Networks Logs".
  4. Edit the "pan_index" constraint.
  5. Change "pan_index" to index=pan_logs and save.
  6. Click "Back to Data Models".
  7. Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.

All of the dashboards are working now.

View solution in original post

emalenfant
Explorer

Thanks for this, but let me add, if you have a search head and multiple indexers, make the change on your search head, re-deploy the updated app to your indexers so they all receive the updated data model.

Thanks dfronck - your solution helped!

0 Karma

dfronck
Communicator

Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.

If you're having this problem, here are the steps to fix it.

  1. Go to Data Models for the SplunkforPaloAltoNetworks app.
  2. Select Edit/Edit Acceleration and turn off acceleration.
  3. Then click "Palo Alto Networks Logs".
  4. Edit the "pan_index" constraint.
  5. Change "pan_index" to index=pan_logs and save.
  6. Click "Back to Data Models".
  7. Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.

All of the dashboards are working now.

btorresgil
Builder

This change is no longer needed in version 4.1.2 and higher. These versions of the Palo Alto Networks app contain the change already.

0 Karma

my2ndhead
SplunkTrust
SplunkTrust

Looking at the search.log on the indexer shows, that the macro can not be found on the indexer:

06-30-2014 14:49:08.773 ERROR TsidxStats - Error in 'SearchParser': Could not find macro 'pan_index' that takes 0 arguments. Expecting stanza name 'pan_index'.
06-30-2014 14:49:08.773 INFO TsidxStats - Could not obtain a valid set of indexes to search

I fixed the problem with modifying the data model root object constraint from "pan_index" to "index=pan_logs".

0 Karma

dfronck
Communicator

Trouble shooting with Splunk showed that I can go to the PAN App Search and enter "| datamodel pan_logs" and get results back.

I also enabled acceleration on the built in apps and they worked.

Support says the problem is in the App.

0 Karma

trademarq
Explorer

Let us know what support says. I am having this same exact issue.

0 Karma

dfronck
Communicator

I opened a case with splunk. The built in data models work but they aren't accelerated.

When I turn off acceleration in the PAN App, I don't get the errors from my indexers. Of course the pivots will take forever and the dashboards relay on acceleration so that's useless but at least I can now assume that the problem is data model acceleration.

0 Karma

dfronck
Communicator

I don't think this app works if your indexers are clustered.

I installed the app on my search head pool, heavy forwarders and indexers. As I stated above, on the search heads, I only get data in the Overview Dashboard.

Using the app on the indexers, I get data on all of the dashboards but it's fairly useless because I only get the data that's on that singe indexer in the cluster.

0 Karma

dfronck
Communicator

Didn't get to upgrade the forwarder but I don't see why that would cause an issue anyway.

If I use Pivot or go to PAN App search and enter (with back quotes around the search)
| _pan_dropdown(log.traffic.end, log.app)

I get the following error from all of my indexers.

[index_server] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search

Yet there are 300gb in /opt/splunk/var/lib/splunk/pan_logs/datamodel_summary on all of my indexers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...