All Apps and Add-ons
Highlighted

Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

I installed the Splunk for Palo Alto Networks app. I am getting data and my index and source types are correct. When I do searches, all the PA fields are getting extracted.

However, I only the Overview dashboard works; it displays real-time information.

The other dashboards and sub-dashboards under Traffic, Threat, Content and System all say "Search is waiting for input..." and the drop downs all say "Search produced no results."

We are using a cluster so the app in installed on the heavy forwarder that receives the logs and a search head that can search all of our indexers.

EDIT: Just realized that the heavy forwarder is still running v6.0.3. Maybe that's the issue. Upgrading tonight to find out.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

Didn't get to upgrade the forwarder but I don't see why that would cause an issue anyway.

If I use Pivot or go to PAN App search and enter (with back quotes around the search)
| _pan_dropdown(log.traffic.end, log.app)

I get the following error from all of my indexers.

[indexserver] The search for datamodel 'panlogs' failed to parse, cannot get indexes to search

Yet there are 300gb in /opt/splunk/var/lib/splunk/panlogs/datamodelsummary on all of my indexers.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

I don't think this app works if your indexers are clustered.

I installed the app on my search head pool, heavy forwarders and indexers. As I stated above, on the search heads, I only get data in the Overview Dashboard.

Using the app on the indexers, I get data on all of the dashboards but it's fairly useless because I only get the data that's on that singe indexer in the cluster.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

I opened a case with splunk. The built in data models work but they aren't accelerated.

When I turn off acceleration in the PAN App, I don't get the errors from my indexers. Of course the pivots will take forever and the dashboards relay on acceleration so that's useless but at least I can now assume that the problem is data model acceleration.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Explorer

Let us know what support says. I am having this same exact issue.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

Trouble shooting with Splunk showed that I can go to the PAN App Search and enter "| datamodel pan_logs" and get results back.

I also enabled acceleration on the built in apps and they worked.

Support says the problem is in the App.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

SplunkTrust
SplunkTrust

Looking at the search.log on the indexer shows, that the macro can not be found on the indexer:

06-30-2014 14:49:08.773 ERROR TsidxStats - Error in 'SearchParser': Could not find macro 'panindex' that takes 0 arguments. Expecting stanza name 'panindex'.
06-30-2014 14:49:08.773 INFO TsidxStats - Could not obtain a valid set of indexes to search

I fixed the problem with modifying the data model root object constraint from "pan_index" to "index=pan_logs".

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Communicator

Thanks my2ndhead! That fixed it. It looks like the macro is not working so explicitly setting the root constraint to index=pan_logs "fixes" that.

If you're having this problem, here are the steps to fix it.

  1. Go to Data Models for the SplunkforPaloAltoNetworks app.
  2. Select Edit/Edit Acceleration and turn off acceleration.
  3. Then click "Palo Alto Networks Logs".
  4. Edit the "pan_index" constraint.
  5. Change "pan_index" to index=pan_logs and save.
  6. Click "Back to Data Models".
  7. Select Edit/Edit Acceleration and turn on acceleration and set the Summary Range.

All of the dashboards are working now.

View solution in original post

Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Builder

This change is no longer needed in version 4.1.2 and higher. These versions of the Palo Alto Networks app contain the change already.

0 Karma
Highlighted

Re: Only the Overview dashboard has data PAN-App v4.1.1 Splunk v6.1.1

Explorer

Thanks for this, but let me add, if you have a search head and multiple indexers, make the change on your search head, re-deploy the updated app to your indexers so they all receive the updated data model.

Thanks dfronck - your solution helped!

0 Karma