All Apps and Add-ons

Palo Alto Dashboard (URL Filtering) not populating any data.

MatthewH007
Path Finder

URL Filtering is the Dashboard I want to concentrate on as it has been requested for use.

I have exhausted the Troubleshooting that is found in the app documentation and am not sure why certain Dashboards are not working properly.

The following don't work at all:
URL Filtering Dashboard
Traffic Dashboard
Web Activity Report

What I have done:
1. Re-built the Palo Alto Data models and ensured they are at 100%.
2. Performed Pivot searches via the data model "Palo Alto Networks Firewall Logs" and received results.
3. Specifically used the 'URL Filtering' part of the datamodel and that also works fine when pivoting and I get the proper results.

Also, I can search through the logs fine and get traffic, threat, system, and config logs. I have tried simply opening 1 of the searches on the dashboard but nothing happens. As in I click on the magnifying glass and no window pops up or no error. However, when I try to 'inspect' the search, I get an error stating 'Unknown SID'.

I did end up opening the search but only if I choose to 'Edit' the dashboard itself. I have tried placing all of the searches into a search query but get an error stating
Error in 'TsidxStats': WHERE clause is not an exact query

Looking at the query itself, it appears that the issue resides with the macro "node(1)" and is defined as follows:
datamodel="pan_firewall" WHERE nodename="$nodename$"

I have not changed anything with the app and this is a default macro that comes with the app. Does anyone have any thoughts as to why this is occurring or any Troubleshooting steps I could take?

tommoore
Path Finder

I have the same issue. The problem is there is no field called "nodename" in the datamodel. I can not find in the TA anywhere that defines this field, thus it will never match. Thus a lot of the dashboards don't work.

~/Splunk_TA_paloalto
└──╼ grep -ri nodename *| grep -v .js
bin/splunk_ta_paloalto/cloudconnectlib/splunktalib/modinput.py: if doc.nodeName == "input":
bin/splunk_ta_paloalto/solnlib/net_utils.py: # [Errno 8] nodename nor servname provided, or not known
lookups/threat_list.csv:36853,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0764"
lookups/threat_list.csv:36707,"Advantech WebAccess Browser ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0985"
lookups/threat_list.csv:38655,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability","code-execution",medium,"CVE-2014-0764"

0 Karma

nmensah
Explorer

Was this issue ever resolved? We are experiencing a similar problem.

0 Karma

MatthewH007
Path Finder

This issue was not resolved. I decided to just create my own dashboard with similar searches.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Are you seeing any logs/events when you run |from datamodel:"pan_firewall" ? It seems the search is broken or the fields in the datamodel has changed. what version of the add-on and app are you using?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...