All Apps and Add-ons

Palo Alto Dashboard (URL Filtering) not populating any data.

Path Finder

URL Filtering is the Dashboard I want to concentrate on as it has been requested for use.

I have exhausted the Troubleshooting that is found in the app documentation and am not sure why certain Dashboards are not working properly.

The following don't work at all:
URL Filtering Dashboard
Traffic Dashboard
Web Activity Report

What I have done:
1. Re-built the Palo Alto Data models and ensured they are at 100%.
2. Performed Pivot searches via the data model "Palo Alto Networks Firewall Logs" and received results.
3. Specifically used the 'URL Filtering' part of the datamodel and that also works fine when pivoting and I get the proper results.

Also, I can search through the logs fine and get traffic, threat, system, and config logs. I have tried simply opening 1 of the searches on the dashboard but nothing happens. As in I click on the magnifying glass and no window pops up or no error. However, when I try to 'inspect' the search, I get an error stating 'Unknown SID'.

I did end up opening the search but only if I choose to 'Edit' the dashboard itself. I have tried placing all of the searches into a search query but get an error stating
Error in 'TsidxStats': WHERE clause is not an exact query

Looking at the query itself, it appears that the issue resides with the macro "node(1)" and is defined as follows:
datamodel="pan_firewall" WHERE nodename="$nodename$"

I have not changed anything with the app and this is a default macro that comes with the app. Does anyone have any thoughts as to why this is occurring or any Troubleshooting steps I could take?

Path Finder

I have the same issue. The problem is there is no field called "nodename" in the datamodel. I can not find in the TA anywhere that defines this field, thus it will never match. Thus a lot of the dashboards don't work.

└──╼ grep -ri nodename *| grep -v .js
bin/splunk_ta_paloalto/cloudconnectlib/splunktalib/ if doc.nodeName == "input":
bin/splunk_ta_paloalto/solnlib/ # [Errno 8] nodename nor servname provided, or not known
lookups/threat_list.csv:36853,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0764"
lookups/threat_list.csv:36707,"Advantech WebAccess Browser ActiveX NodeName Parameter Buffer Overflow Vulnerability",overflow,high,"CVE-2014-0985"
lookups/threat_list.csv:38655,"Advantech WebAcess ActiveX NodeName Parameter Buffer Overflow Vulnerability","code-execution",medium,"CVE-2014-0764"

0 Karma


Was this issue ever resolved? We are experiencing a similar problem.

0 Karma

Path Finder

This issue was not resolved. I decided to just create my own dashboard with similar searches.

0 Karma


Are you seeing any logs/events when you run |from datamodel:"pan_firewall" ? It seems the search is broken or the fields in the datamodel has changed. what version of the add-on and app are you using?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...