Palo Alto Dashboards - add input help

BrendanCO · ‎04-20-2017

Hello! I'm trying to edit a dashboard and add an input to filter by "dvc_host". We are now bringing in multiple PANs and I'd like to be able to look at these dashboards by each individual PAN.

Looking at the input "src_ip" I see the format looks like this:
http://imgur.com/MaikAM7

Now, I try to add the input "dvc_host" and mirror the input with the appropriate field name:
http://imgur.com/h4YRL2t

And it doesn't work.

A little help, please?

woodcock · ‎04-20-2017

Do this: Edit the source XML, find the definition of the src_ip field input, copy that section and duplicate it under the original, modify all the src_ip-ish parts in the duplicated section to dvc_host-ish. Then look for the query section and you will see that it has something like ... src_ip=$SRC_IP_TOKEN$ .... Add after this your new stuff so it is something like ... src_ip=$SRC_IP_TOKEN$ dvc_host=$DVC_HOST_TOKEN$ .... That's it.

BrendanCO · ‎04-25-2017

I'll be honest, I got wrapped up in another more pressing issue! I came back to this today, woodcock, and am not sure which source XML you're referring to. The dashboard itself?

So, I cloned the Palo Alto - Traffic Dashboard, for example, to Palo Alto - Traffic Dashboard by Host. I was going to work off of this but I don't see the cloned dashboard anywhere. I know this is probably ridiculously easy but I swear that I've perused all over and can't find it. That's the one I want to try to edit with your instructions. Thoughts?

Palo Alto Dashboards - add input help

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor