We are trying to determine the best way to provide a user activity report from our Palo Alto logs and are having trouble with the appropriate Splunk search. Something to show "total bytes for each destination hostname grouped by user over a nominated time period" . Could anyone provide any advice on how that search could be written? Obviously we are rather new to Splunk but have the search basics in hand, just not more advanced search syntax.
We are using Splunk 6.5.2, Palo Alto Networks Add-on for Splunk 3.7.1 and Palo Alto Networks App for Splunk 5.3.1.
I am trying to generate a Web Activity Report on a per user basis.
I have tried removing the quotes (") from the end of log.user= and from the Token Suffix field. I still cannot get a search to complete using only the user name (No Results Found), even though the user is ID'd in the firewalls and I see the traffic there.
Furthermore, if I look at the Traffic Dashboard, I do see where users are identified, so the Palo Alto App is able to pull that information, why then does it not work in the Web Activity Report ?
Any assistance would be greatly appreciated.
Thanks adonio. Even I place a * in the Source User field it still returns no results 😞
The other filter fields work fine, it is just the Source User filter.
Sorry, I just realised that your Settings of the "source User" filter look different to mine.
My Token Prefix is:
and my Token Suffix is "
I remove the quotes and it now works.
Take a look at the Traffic Dashboard, here's a screenshot:
top left panel shows bytes over time, you can filter by dest and by user or place * to capture all
bottom panels (missing in screen shot) will show traffic by destination.
you can also click edit and then edit source to check the underline searches and modify to your satisfaction.
Hope it helps
Thanks Adonio. That has certainly helped, but while that works perfectly for the "Traffic Dashboard", if I try and filter on the "Web Activity Report" it seems the "Source User" filter has no effect while the "Source IP" and "Destination Hostname" filters work fine. It would be great to be able to filter within the "Web Activity Report" by user. Do you see the same issue in your environment?
its funny, you are right! worthwhile to tell app developers (PAN) was able to fix it quickly on my end.
go to the mentioned dashboard (Web Activity Report) click edit, click on the pencil icon next to Source user
on the menu, change Token Prefix to log.user=
on the Token Suffix remove the "
meaning you will remove " from both
save and check you can filter by user I am attaching another screenshot in an answer below