All Apps and Add-ons

Palo Alto App no_appending_timestamp problem

franks59
Explorer

In my inputs.conf file, if I have "no_appending_timestamp = true" as shown in the documentation, no graphs are created. The data is parsed fine, just no graphs.

When I go to say, the System Dashboard and do an "Open in Search" I see the search starts with " | tstats count (log_subtype) as ce from pan_system". If I try doing just that portion, the result is zero. Yet I can do a search on "sourcetype = pan_system" and see multiple values for log_subtype.

I looked more at the tstats function and saw that it depends on (time series) tsindex files. I looked in /opt/splunk/var/lib/splunk\tsidxstats\pan_system and saw no tsindex files.

I decided to modify inputs.conf, commenting out "no_appending_timestamp = true". When I restarted the app, then I saw that tsindex files were being created and I was getting graphs. However the receive_time field was being populated not with the value in the original syslog message, but with value that was prepended by "no_appending_timestamp".

So I don't understand - the documentation says to have "no_appending_timestamp = true", but that produces no graphs (in my case) and if I decide to comment it out, then at least one of the fields are not parsed correctly.

Here is an example syslog message with "no_appending_timestamp = true":

<11>Mar 10 10:58:50 192.168.62.3 1,2014/03/10 10:58:50,000FD103199,SYSTEM,general,0,2014/03/10 10:58:50,,general,,0,0,general,high,"Failed to connect to Pan-Agent at 192.168.62.4, source: 192.168.62.3 (41 times)",0,0x0

And here is the same with "no_appending_timestamp = true" commented out:

Mar 5 21:19:09 192.168.62.5 <11>Mar 5 21:19:09 192.168.62.3 1,2014/03/05 21:19:09,0004C102557,SYSTEM,general,0,2014/03/05 21:19:09,,general,,0,0,general,high,"Failed to connect to Pan-Agent at 192.168.62.4, source: 192.168.62.3 (41 times)",0,0x0

Any help would be appreciated.

guarisma
Contributor

Only the [udp://<remote server>:<port>] stanza has the no_appending_timestamp

You can read about it here

0 Karma

scott778
Explorer

Thank you for that confirmation. I actually came across that same conclusion. The TCP stanza does not utilize the no_appending_timestamp option. I reached out to the developer of the palo alto splunk application and he is currently reviewing the issue.

jslee
Explorer

[tcp:// ] stanza has not attribute of "no_appending_timestamp",[tcp:// ] stanza has not attribute of "no_appending_timestamp"

scott778
Explorer

bump

I'm receiving the same error regarding the incorrect stanza line, any resolution?

0 Karma

pstutz
Explorer

I am having the same issue as described above... in addition I noticed this error message upon starting Splunk:

Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf, line 5: no_appending_timestamp (value: true)
Invalid key in stanza [tcp://5514] in /opt/splunk/etc/apps/search/local/inputs.conf, line 63: no_appending_timestamp (value: true)

inputs.conf looks like:

[tcp://5514] 
index = pan_logs 
sourcetype = pan_log 
connection_host = ip 
no_appending_timestamp = true
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...