All Apps and Add-ons

Palo Alto App no_appending_timestamp problem


In my inputs.conf file, if I have "no_appending_timestamp = true" as shown in the documentation, no graphs are created. The data is parsed fine, just no graphs.

When I go to say, the System Dashboard and do an "Open in Search" I see the search starts with " | tstats count (log_subtype) as ce from pan_system". If I try doing just that portion, the result is zero. Yet I can do a search on "sourcetype = pan_system" and see multiple values for log_subtype.

I looked more at the tstats function and saw that it depends on (time series) tsindex files. I looked in /opt/splunk/var/lib/splunk\tsidxstats\pan_system and saw no tsindex files.

I decided to modify inputs.conf, commenting out "no_appending_timestamp = true". When I restarted the app, then I saw that tsindex files were being created and I was getting graphs. However the receive_time field was being populated not with the value in the original syslog message, but with value that was prepended by "no_appending_timestamp".

So I don't understand - the documentation says to have "no_appending_timestamp = true", but that produces no graphs (in my case) and if I decide to comment it out, then at least one of the fields are not parsed correctly.

Here is an example syslog message with "no_appending_timestamp = true":

<11>Mar 10 10:58:50 1,2014/03/10 10:58:50,000FD103199,SYSTEM,general,0,2014/03/10 10:58:50,,general,,0,0,general,high,"Failed to connect to Pan-Agent at, source: (41 times)",0,0x0

And here is the same with "no_appending_timestamp = true" commented out:

Mar 5 21:19:09 <11>Mar 5 21:19:09 1,2014/03/05 21:19:09,0004C102557,SYSTEM,general,0,2014/03/05 21:19:09,,general,,0,0,general,high,"Failed to connect to Pan-Agent at, source: (41 times)",0,0x0

Any help would be appreciated.


Only the [udp://<remote server>:<port>] stanza has the no_appending_timestamp

You can read about it here

0 Karma


Thank you for that confirmation. I actually came across that same conclusion. The TCP stanza does not utilize the no_appending_timestamp option. I reached out to the developer of the palo alto splunk application and he is currently reviewing the issue.


[tcp:// ] stanza has not attribute of "no_appending_timestamp",[tcp:// ] stanza has not attribute of "no_appending_timestamp"



I'm receiving the same error regarding the incorrect stanza line, any resolution?

0 Karma


I am having the same issue as described above... in addition I noticed this error message upon starting Splunk:

Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf, line 5: no_appending_timestamp (value: true)
Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/search/local/inputs.conf, line 63: no_appending_timestamp (value: true)

inputs.conf looks like:

index = pan_logs 
sourcetype = pan_log 
connection_host = ip 
no_appending_timestamp = true
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...