I set up the Palo Alto Networks App for Splunk, but all of the dashboards are blank except for the overview. The firewall is configured to send the log data via syslog (not using 514 as it is already being used). I verified that I am getting traffic, threat, configuration log data, however, none of the dashboards are populating with new data other than the overview dashboard.
I verified that I am getting new log data by running
pan_threat and selecting a 30 second time Window for real-time.
I had this issue with 5.1.x and I upgraded to 5.2.0 since I had recently upgraded the PANOS (TA is at version 3.6.1), but the dashboards are still empty. I was prompted to set the app back up after the upgrade, but everything needed was already in the configuration file so I just clicked save. Same results, Overview works, but none of the other dashboards.
PAN App: 5.2.0
Please confirm that your sourcetypes are correct. They should start with pan:
Also check to see if you have the your role "Indexes to search by default" with the paloalto index selected.
Are they parsed correctly meaning you see the expected fields?
Next thing to try will be to look at the dashboard panel, move your mouse to the left bottom, an icon should appear to allow you to run the search. Take a look at that search to determine where the issue is. If the icon is not there then look at the job inspector to find the search it is running to fill the panel.
None | tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
Here is the search:
| tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
The reports finished but i am still not getting results. I did find that if I change the time range to all time I get results from last year. I had to stopped forwarding data from our firewall due to license over run, which is no longer an issue.
[udp://5141] sourcetype = pan:log no_appending_timestamp = true
Both are in the right time zone and are showing the same time.
I checked out splunkd.log and found:
08-09-2016 14:22:30.545 -0400 ERROR FrameworkUtils - Incorrect path to script: /.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py. Script must be located inside $SPLUNK_HOME/bin/scripts. 08-09-2016 14:22:30.545 -0400 ERROR ExecProcessor - Ignoring: "'/.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py'
Yes. I checked the accelerated reports and confirmed that they were each (3) were at 100%. I chose to rebuild them in case something went wrong the first go. They have not finished yet.
I checked the acceleration on my install, as well. It was only at 32% so I started a rebuild.
when the rebuild reached ~75% the other dashboards starting working; However, it is now at 98.63% and the other dashboards have stopped working again...