All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Palo Alto Dashboards - add input help

BrendanCO
Path Finder
‎04-20-2017 11:15 AM

Hello! I'm trying to edit a dashboard and add an input to filter by "dvc_host". We are now bringing in multiple PANs and I'd like to be able to look at these dashboards by each individual PAN.

Looking at the input "src_ip" I see the format looks like this:
http://imgur.com/MaikAM7

Now, I try to add the input "dvc_host" and mirror the input with the appropriate field name:
http://imgur.com/h4YRL2t

And it doesn't work.

A little help, please?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2017 12:40 PM

Do this: Edit the source XML, find the definition of the src_ip field input, copy that section and duplicate it under the original, modify all the src_ip-ish parts in the duplicated section to dvc_host-ish. Then look for the query section and you will see that it has something like ... src_ip=$SRC_IP_TOKEN$ .... Add after this your new stuff so it is something like ... src_ip=$SRC_IP_TOKEN$ dvc_host=$DVC_HOST_TOKEN$ .... That's it.

Reply

BrendanCO
Path Finder
‎04-25-2017 03:59 PM

I'll be honest, I got wrapped up in another more pressing issue! I came back to this today, woodcock, and am not sure which source XML you're referring to. The dashboard itself?

So, I cloned the Palo Alto - Traffic Dashboard, for example, to Palo Alto - Traffic Dashboard by Host. I was going to work off of this but I don't see the cloned dashboard anywhere. I know this is probably ridiculously easy but I swear that I've perused all over and can't find it. That's the one I want to try to edit with your instructions. Thoughts?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...