All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Palo Alto Networks App Dashboards not populating

heathramos
Path Finder
a month ago

if I run the following search, I get records: index="pan" host="*"

none of the dashboards show any info

what could cause this?

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
a month ago

Hi @heathramos 

It sounds like you havent installed Splunk Add-on for Palo Alto Networks  - You need this in addition to the Splunk App for Palo Alto Networks because the Add-on contains all the macros that the dashboards in the app use, such as p_index, pan_tstats, pan_summariesonly and pan_logs.

Please install this and hopefully this should resolve the issue, once installed check the p_index - by default this is "index=pan*" so if your index is called "pan" then the default should be fine.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

heathramos
Path Finder
a month ago

I checked and it was installed but not running the latest version

updated the pan app and pan add-on to the latest version but dashboards still don't work

0 Karma
Reply

livehybrid
Super Champion
a month ago

Hi @heathramos 

Okay so this is installed, you should be able to see the macros in them - Are you able to see any of the previously mentioned macros when in the app?

 

0 Karma
Reply

heathramos
Path Finder
a month ago

I see a pan_index macro among others

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
a month ago

@heathramos Your dashboard isn't populating because it's looking for data in places that don't exist in your environment. 

The main culprit is probably the p_index macro. Your dashboard is using `p_index` but this macro either doesn't exist or isn't pointing to the right place. Go to Settings > Advanced Search > Search Macros and see if you have one called p_index. If not, create it. If yes, make sure it's set to your actual Palo Alto index.

tip: When you're in the Search app, you can Cmd+Shift+E (Mac) or Ctrl+Shift+E (Windows) to expand macros in your search and see what they actually resolve to. This will show you exactly what `p_index` is doing.

Second issue - sourcetype mismatch. The dashboard expects sourcetype="pan:xdr_incident" but your data probably has a different sourcetype. Run this to see what you actually have:

index=pan | stats count by sourcetype

Quick test: Try running the base search manually with your actual values instead of the tokens. Replace $severity$ with * and see if you get any results.

The dashboard is basically looking for some field names like incident_id, severity, status etc. If your XDR data doesn't have these exact field names, nothing will show up.

Most of these Palo Alto app dashboards assume you've configured everything exactly as Palo Alto intended, but real environments are messier. You'll probably need to either:

  • Fix your data inputs to match what the dashboard expects, OR
  • Edit the dashboard searches to match your actual data structure

Start with that macro expansion trick and sourcetype check - those are usually the smoking guns.

Good luck!


If this Helps, Please Upvote.

Reply

heathramos
Path Finder
a month ago

I don't see p_index

When I create it, how exactly do I configure it?

What do I put under definition?

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
a month ago

@heathramos 

Since the p_index macro doesn't exist, here's how to dig into the dashboard and fix it:

Edit the dashboard directly:

  1. Go to your  dashboard
  2. Click the Edit button (top right)
  3. Click on each panel/visualization that's not showing data
  4. Click Edit Search for each one magnifying glass
  5. You'll see searches that start with `p_index` sourcetype="pan:xdr_incident"

Replace the macro with your actual index:

  • Change `p_index` to index=pan (or whatever your actual Palo Alto index is called)
  • So the search becomes: index=pan sourcetype="pan:xdr_incident"

Do this for every search in the dashboard. There are probably 8-10 different searches based on your dashboard config.

While you're in there, also check:

  • Does sourcetype="pan:xdr_incident" match your actual data? Run index=pan | stats count by sourcetype first to confirm
  • If your sourcetype is different (like pan:incident or cortex:xdr), update those too

 

0 Karma
Reply

heathramos
Path Finder
a month ago

I see searches like the following: 

| tstats summariesonly=t values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="*" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename log.* AS * | stats sum(count) AS count values(app) AS app values(category) AS category BY dest_name
| table dest_name app category count
| sort -count

 

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
a month ago

@heathramos 

yeah this is going to be a fun one.

You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with parent/child datasets that need to be built and accelerated properly - it's a whole thing.

Looking at that search, it's trying to pull from datamodel=pan_firewall with specific node relationships. If that's not set up right (or at all), nothing's going to work. And troubleshooting data models means digging into dataset structures, field mappings, acceleration status - it's honestly not a quick fix.

If you need this dashboard working soon and it's important to the business, you might want to just work with Splunk ondemand services. They can sort out your data models properly instead of you spending days figuring out why the acceleration isn't working or why the field extractions are wrong.

If you want to try,  spend  some time in Settings > Data Models, checking what's actually there vs what the dashboard expects. You'll probably end up either rebuilding data models from scratch or rewriting all these tstats searches to use regular SPL.

It's more like -audit your entire Palo Alto data ingestion and modeling setup.




If this Helps Please Upvote.
 
Reply

heathramos
Path Finder
a month ago

FYI

It looks like the dashboards are now working

changing the datamodel at every step and adding the index reference fixed the issue

thanks for the help

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
a month ago

@heathramos Thanks for the update, glad it worked out. 

0 Karma
Reply

heathramos
Path Finder
a month ago

that's for the help

I will play with the data model when I have time

I noticed parts were giving any records in the preview unless I manually added the index.

I tried adding the index to various steps and enabling acceleration but it still didn't work

 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...