All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto App no_appending_timestamp problem

franks59
Explorer
‎03-13-2014 07:02 AM

In my inputs.conf file, if I have "no_appending_timestamp = true" as shown in the documentation, no graphs are created. The data is parsed fine, just no graphs.

When I go to say, the System Dashboard and do an "Open in Search" I see the search starts with " | tstats count (log_subtype) as ce from pan_system". If I try doing just that portion, the result is zero. Yet I can do a search on "sourcetype = pan_system" and see multiple values for log_subtype.

I looked more at the tstats function and saw that it depends on (time series) tsindex files. I looked in /opt/splunk/var/lib/splunk\tsidxstats\pan_system and saw no tsindex files.

I decided to modify inputs.conf, commenting out "no_appending_timestamp = true". When I restarted the app, then I saw that tsindex files were being created and I was getting graphs. However the receive_time field was being populated not with the value in the original syslog message, but with value that was prepended by "no_appending_timestamp".

So I don't understand - the documentation says to have "no_appending_timestamp = true", but that produces no graphs (in my case) and if I decide to comment it out, then at least one of the fields are not parsed correctly.

Here is an example syslog message with "no_appending_timestamp = true":

<11>Mar 10 10:58:50 192.168.62.3 1,2014/03/10 10:58:50,000FD103199,SYSTEM,general,0,2014/03/10 10:58:50,,general,,0,0,general,high,"Failed to connect to Pan-Agent at 192.168.62.4, source: 192.168.62.3 (41 times)",0,0x0

And here is the same with "no_appending_timestamp = true" commented out:

Mar 5 21:19:09 192.168.62.5 <11>Mar 5 21:19:09 192.168.62.3 1,2014/03/05 21:19:09,0004C102557,SYSTEM,general,0,2014/03/05 21:19:09,,general,,0,0,general,high,"Failed to connect to Pan-Agent at 192.168.62.4, source: 192.168.62.3 (41 times)",0,0x0

Any help would be appreciated.

Reply

guarisma
Contributor
‎08-13-2019 10:01 AM

Only the [udp://<remote server>:<port>] stanza has the no_appending_timestamp

You can read about it here

0 Karma
Reply

scott778
Explorer
‎11-06-2014 06:43 AM

Thank you for that confirmation. I actually came across that same conclusion. The TCP stanza does not utilize the no_appending_timestamp option. I reached out to the developer of the palo alto splunk application and he is currently reviewing the issue.

Reply

jslee
Explorer
‎11-06-2014 12:17 AM

[tcp:// ] stanza has not attribute of "no_appending_timestamp",[tcp:// ] stanza has not attribute of "no_appending_timestamp"

Reply

scott778
Explorer
‎10-27-2014 01:50 PM

bump

I'm receiving the same error regarding the incorrect stanza line, any resolution?

0 Karma
Reply

pstutz
Explorer
‎08-20-2014 02:18 PM

I am having the same issue as described above... in addition I noticed this error message upon starting Splunk:

Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf, line 5: no_appending_timestamp (value: true)
Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/search/local/inputs.conf, line 63: no_appending_timestamp (value: true)

inputs.conf looks like:

[tcp://5514] 
index = pan_logs 
sourcetype = pan_log 
connection_host = ip 
no_appending_timestamp = true
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...