All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Palo Alto Dashboards - add input help

BrendanCO
Path Finder
‎04-20-2017 11:15 AM

Hello! I'm trying to edit a dashboard and add an input to filter by "dvc_host". We are now bringing in multiple PANs and I'd like to be able to look at these dashboards by each individual PAN.

Looking at the input "src_ip" I see the format looks like this:
http://imgur.com/MaikAM7

Now, I try to add the input "dvc_host" and mirror the input with the appropriate field name:
http://imgur.com/h4YRL2t

And it doesn't work.

A little help, please?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2017 12:40 PM

Do this: Edit the source XML, find the definition of the src_ip field input, copy that section and duplicate it under the original, modify all the src_ip-ish parts in the duplicated section to dvc_host-ish. Then look for the query section and you will see that it has something like ... src_ip=$SRC_IP_TOKEN$ .... Add after this your new stuff so it is something like ... src_ip=$SRC_IP_TOKEN$ dvc_host=$DVC_HOST_TOKEN$ .... That's it.

Reply

BrendanCO
Path Finder
‎04-25-2017 03:59 PM

I'll be honest, I got wrapped up in another more pressing issue! I came back to this today, woodcock, and am not sure which source XML you're referring to. The dashboard itself?

So, I cloned the Palo Alto - Traffic Dashboard, for example, to Palo Alto - Traffic Dashboard by Host. I was going to work off of this but I don't see the cloned dashboard anywhere. I know this is probably ridiculously easy but I swear that I've perused all over and can't find it. That's the one I want to try to edit with your instructions. Thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...