URL Filtering is the Dashboard I want to concentrate on as it has been requested for use.
I have exhausted the Troubleshooting that is found in the app documentation and am not sure why certain Dashboards are not working properly.
The following don't work at all:
URL Filtering Dashboard
Web Activity Report
What I have done:
1. Re-built the Palo Alto Data models and ensured they are at 100%.
2. Performed Pivot searches via the data model "Palo Alto Networks Firewall Logs" and received results.
3. Specifically used the 'URL Filtering' part of the datamodel and that also works fine when pivoting and I get the proper results.
Also, I can search through the logs fine and get traffic, threat, system, and config logs. I have tried simply opening 1 of the searches on the dashboard but nothing happens. As in I click on the magnifying glass and no window pops up or no error. However, when I try to 'inspect' the search, I get an error stating 'Unknown SID'.
I did end up opening the search but only if I choose to 'Edit' the dashboard itself. I have tried placing all of the searches into a search query but get an error stating
Error in 'TsidxStats': WHERE clause is not an exact query
Looking at the query itself, it appears that the issue resides with the macro "node(1)" and is defined as follows:
datamodel="pan_firewall" WHERE nodename="$nodename$"
I have not changed anything with the app and this is a default macro that comes with the app. Does anyone have any thoughts as to why this is occurring or any Troubleshooting steps I could take?
I have the same issue. The problem is there is no field called "nodename" in the datamodel. I can not find in the TA anywhere that defines this field, thus it will never match. Thus a lot of the dashboards don't work.
└──╼ grep -ri nodename *| grep -v .js
bin/splunk_ta_paloalto/cloudconnectlib/splunktalib/modinput.py: if doc.nodeName == "input":
bin/splunk_ta_paloalto/solnlib/net_utils.py: # [Errno 8] nodename nor servname provided, or not known
lookups/threat_list.csv:36853,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0764"
lookups/threat_list.csv:36707,"Advantech WebAccess Browser ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0985"
lookups/threat_list.csv:38655,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability","code-execution",medium,"CVE-2014-0764"
Are you seeing any logs/events when you run
|from datamodel:"pan_firewall" ? It seems the search is broken or the fields in the datamodel has changed. what version of the add-on and app are you using?