All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Palo Alto Dashboards - add input help

BrendanCO
Path Finder
‎04-20-2017 11:15 AM

Hello! I'm trying to edit a dashboard and add an input to filter by "dvc_host". We are now bringing in multiple PANs and I'd like to be able to look at these dashboards by each individual PAN.

Looking at the input "src_ip" I see the format looks like this:
http://imgur.com/MaikAM7

Now, I try to add the input "dvc_host" and mirror the input with the appropriate field name:
http://imgur.com/h4YRL2t

And it doesn't work.

A little help, please?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-20-2017 12:40 PM

Do this: Edit the source XML, find the definition of the src_ip field input, copy that section and duplicate it under the original, modify all the src_ip-ish parts in the duplicated section to dvc_host-ish. Then look for the query section and you will see that it has something like ... src_ip=$SRC_IP_TOKEN$ .... Add after this your new stuff so it is something like ... src_ip=$SRC_IP_TOKEN$ dvc_host=$DVC_HOST_TOKEN$ .... That's it.

Reply

BrendanCO
Path Finder
‎04-25-2017 03:59 PM

I'll be honest, I got wrapped up in another more pressing issue! I came back to this today, woodcock, and am not sure which source XML you're referring to. The dashboard itself?

So, I cloned the Palo Alto - Traffic Dashboard, for example, to Palo Alto - Traffic Dashboard by Host. I was going to work off of this but I don't see the cloned dashboard anywhere. I know this is probably ridiculously easy but I swear that I've perused all over and can't find it. That's the one I want to try to edit with your instructions. Thoughts?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...