All Apps and Add-ons

Palo Alto Dashboard is blank, sub dashboards are working

splk
Communicator

Hello all,

currently the data from the Palo Altos is streaming in, and all sub dashboards are working as expectet.
Only the Overview Dashboard is only showing the Top-URL Category, all other panels are 0 or empty.

Any clue how to fix?
We are on the latest App Version.

Kind regards

0 Karma

nk-1
Path Finder

When parts of my dashboards don't render properly, I check if my system is approaching the maximum number of searches that can be run concurrently.
Just a thought..

0 Karma

btorresgil
Builder

When every dashboard works except the Overview dashboard, it is almost 100% of the time caused by a clock sync issue, meaning your firewall's clock is 5 minutes or more off from your Splunk server clock. The Overview dashboard uses real-time 5 minutes timeframe by default, so if the firewall's clock is 6 minutes off, nothing will show up here, but will show up fine in all the other dashboards.

My recommendation is to check the clocks on the Splunk server and the firewalls/Panorama to ensure they are exactly synchronized, or use an NTP server to synchronize them. Also verify you're using the same timezone on both.

0 Karma

splk
Communicator

Time is in sync. As already mentioned, the searches from the overview dashboard are also not working if i change them from realtime to for eg. last 15 minutes.

0 Karma

fz
Explorer

Hi splk!

I doubt that it might be permission issue.

I guess you need to take a look on the "Indexes searched by default" settings under the settings>access control>roles, make sure that you include the pan_logs index in selected indexes.

0 Karma

splk
Communicator

Added the index but no change, dashboard panels are still blank

0 Karma

splk
Communicator

I guess there is something wrong with the makro pan_logs(or permissions??).

If i open the panel search and change the makro pan_logsto index=pan_logs the search is working!

0 Karma

kent_farries
Path Finder

My first guess is that since this dashboard is real-time that you can't see the data based on our user permissions. At my company we restrict real-time searches so most of our users of this app would also get a blank dashboard on the Overview. We do allow a few people to have real-time access but it is restricted for performance reasons.

How to test

  1. Click the search icon on one of the panels
  2. This will open in a new window
  3. Change the search from real-time to last 15 minutes.

If you get data then it is most likely user permissions.

0 Karma

kent_farries
Path Finder

Hmmm. There is a lot going on in this app so I'm not sure where to point you next but I will provide a couple of ideas.

Top URL category you said works and the base search is not a macro.
sourcetype="pan:traffic"

The two panels below start with a basic macro. If you put in just the macro does it return data? Delete everything after the macro to verify.

Event Types
pan_logs

Top Applications
pan_traffic

If you get data then maybe it is the sourcetype. It's been a while but I thought it might be something to do with _ or :.
sourcetype="pan:"
sourcetype="pan_
"

.....

0 Karma

splk
Communicator

I guess there is something going on with the pan_logs macro.
If i changed the search from pan_logs macro usage to index=pan_logs everything is working.

0 Karma

splk
Communicator

Seems not to be a permission issue.
I changed one panel search to last 15 minutes, and also get no results.

0 Karma

splk
Communicator

Seems not to be a permission issue.
I changed on panel search to last 15 minutes, and also get no results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...