All Apps and Add-ons
Highlighted

Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

New Member

I set up the Palo Alto Networks App for Splunk, but all of the dashboards are blank except for the overview. The firewall is configured to send the log data via syslog (not using 514 as it is already being used). I verified that I am getting traffic, threat, configuration log data, however, none of the dashboards are populating with new data other than the overview dashboard.

I verified that I am getting new log data by running pan_traffic and pan_threat and selecting a 30 second time Window for real-time.

I had this issue with 5.1.x and I upgraded to 5.2.0 since I had recently upgraded the PANOS (TA is at version 3.6.1), but the dashboards are still empty. I was prompted to set the app back up after the upgrade, but everything needed was already in the configuration file so I just clicked save. Same results, Overview works, but none of the other dashboards.

Versions:
Splunk: 6.3.3
PAN App: 5.2.0
TA: 3.6.1

Thanks,
Sean

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

Contributor

Hi Sean,

Have you tried going through the troubleshooting guide?

http://pansplunk.readthedocs.io/en/latest/troubleshoot.html

Thanks,

Paul

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

New Member

Yes. I checked the accelerated reports and confirmed that they were each (3) were at 100%. I chose to rebuild them in case something went wrong the first go. They have not finished yet.

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

Explorer

I checked the acceleration on my install, as well. It was only at 32% so I started a rebuild.

when the rebuild reached ~75% the other dashboards starting working; However, it is now at 98.63% and the other dashboards have stopped working again...

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

New Member

The reports finished but i am still not getting results. I did find that if I change the time range to all time I get results from last year. I had to stopped forwarding data from our firewall due to license over run, which is no longer an issue.

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

Contributor

Did you add

noappendingtimestamp = true

in inputs.conf UDP stanza?

Can you also confirm clocks and timezones on the firewall and splunk server are the same.

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

New Member

inputs:

[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true

Both are in the right time zone and are showing the same time.

I checked out splunkd.log and found:

08-09-2016 14:22:30.545 -0400 ERROR FrameworkUtils - Incorrect path to script: /.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py.  Script must be located inside $SPLUNK_HOME/bin/scripts.
08-09-2016 14:22:30.545 -0400 ERROR ExecProcessor - Ignoring: "'/.\bin\scripted_inputs\deploy_splunk_ta_paloalto.py'
0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

Splunk Employee
Splunk Employee

Please confirm that your sourcetypes are correct. They should start with pan:
See:

http://pansplunk.readthedocs.io/en/latest/getting_started.html#step-3-create-the-splunk-data-input

Also check to see if you have the your role "Indexes to search by default" with the paloalto index selected.

0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

New Member

The index is in the list of indexes to search and my inputs.conf file is as needed:

[udp://5141]
sourcetype = pan:log
no_appending_timestamp = true
0 Karma
Highlighted

Re: Palo Alto Networks App for Splunk: Why are all dashboards blank except for Overview?

Splunk Employee
Splunk Employee

so if you search with just sourcetype=pan:log
you get events?
and those events have the expected fields?

0 Karma