All Apps and Add-ons

Palo Alto Networks App for Splunk: Why do all other dashboards work except the Threat dashboard?

Meena27
Explorer

Hello,

We have the Palo Alto Networks App for Splunk installed. All other Dashboards are working fine expect Threat dashboard. Everything seems fine. Could you please let me know why this could be?

0 Karma

Richfez
SplunkTrust
SplunkTrust

Hopefully I have close enough to your version and all that. I can update mine if necessary, but I think it's just a couple of months out of date so it's probably close enough.

Here's what I did to investigate, hopefully the methods will work for you (and will be helpful for others).

When I open my Threat dashboard, the first panel is "Threat Subtypes" and is based on the following base search (e.g. I got rid of the timechart at the end).

| `pan_tstats` count FROM `node(log.threat)`       `groupby(_time log.log_subtype)` 

So let's compare that to one that may or may not work, the "Traffic Dashboard" "Bytes Transfered[sic] Over Time" which has a base search like

| `pan_tstats` sum(log.bytes_out) AS sumSent sum(log.bytes_in) AS sumReceived FROM `node(log.traffic.end)`       groupby _time span=5m

If you look at both, you see much of the same macros but not quite. They both call macro node() but one with log.threat and the other with log.traffic.end. So let's check that macro to see what it does.

datamodel="pan_firewall" WHERE nodename="$nodename$" 

So, if we do a pivot on datamodel pan firewall (called "Palo Alto Networks Firewall Logs" in the Datamodels list), I come up with a bunch of Threats. Yours I presume doesn't?

If it doesn't as I expect, go back and "Edit objects" on that DM, you'll see that there's a list of Constraints for the root "Firewall Logs" which I'll presume works fine (since other items populate). If you click "Threat" on the left, you'll see that it adds a few more constraints:

eventtype="pan_threat" (log_subtype="vulnerability" OR log_subtype="virus" OR log_subtype="spyware")

Of those, you have two sets of things to check. Are your pan logs properly tagged with event type "pan_threat"? Do they have at least one of those log_subtypes?

My guess is an eventtype is misspecified. You can go to the definition of the eventtype to see how that's defined and somewhere in those few items is, IMO, likely to be the problem.

Let me/us know how it goes!

0 Karma

Meena27
Explorer

Thanks for your explanation, I already tried everything which you have specified. Everything is in place.

I found what was causing the issue, pan_tstats contains "tstats summariesonly=t". This is where the the problem was, i removed summariesonly=t and it fixed the issue.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Using tstats summariesonly=t only works if the data model is accelerated (as per the tstat docs). Can you confirm that your data model is indeed accelerated, and perhaps check over what period it is accelerated?

Not sure what to do if it is accelerated yet summariesonly isn't working: maybe unaccelerate (lol - decelerate? negatively accelerate? Oh, "disable acceleration", that's probably the best way to say it) it then reaccelerate it? Extend its period?

0 Karma

Meena27
Explorer

Yeah it was, it was accelerated for 7 days, I increased the period as well. still gave me no results.

So i just removed the summariesonly=t and it worked!

0 Karma

Richfez
SplunkTrust
SplunkTrust

I can look tomorrow (probably) if no one else has a better answer.

in the meantime, there's a new threat_list.csv that may need to be generated. If you look through your searches, something's probably in there that creates that. OR wait until tomorrow and perhaps it will have automatically run.

0 Karma

Meena27
Explorer

Okay, the dashboard which I am talking about runs a datamodel, pan_firewall. which doesnt seem to work.. I checked the datamodel and everything looks fine. Any thoughts on that?

0 Karma