currently the data from the Palo Altos is streaming in, and all sub dashboards are working as expectet.
Only the Overview Dashboard is only showing the Top-URL Category, all other panels are 0 or empty.
Any clue how to fix?
We are on the latest App Version.
When every dashboard works except the Overview dashboard, it is almost 100% of the time caused by a clock sync issue, meaning your firewall's clock is 5 minutes or more off from your Splunk server clock. The Overview dashboard uses real-time 5 minutes timeframe by default, so if the firewall's clock is 6 minutes off, nothing will show up here, but will show up fine in all the other dashboards.
My recommendation is to check the clocks on the Splunk server and the firewalls/Panorama to ensure they are exactly synchronized, or use an NTP server to synchronize them. Also verify you're using the same timezone on both.
I doubt that it might be permission issue.
I guess you need to take a look on the "Indexes searched by default" settings under the settings>access control>roles, make sure that you include the pan_logs index in selected indexes.
My first guess is that since this dashboard is real-time that you can't see the data based on our user permissions. At my company we restrict real-time searches so most of our users of this app would also get a blank dashboard on the Overview. We do allow a few people to have real-time access but it is restricted for performance reasons.
How to test
If you get data then it is most likely user permissions.
Hmmm. There is a lot going on in this app so I'm not sure where to point you next but I will provide a couple of ideas.
Top URL category you said works and the base search is not a macro.
The two panels below start with a basic macro. If you put in just the macro does it return data? Delete everything after the macro to verify.
If you get data then maybe it is the sourcetype. It's been a while but I thought it might be something to do with _ or :.