Solved: Palo Alto Networks App for Splunk: pan_firewall da...

dgustafsonBMCM · ‎12-22-2017

I'm having issues with my datamodel-based dashboards after upgrading app to 6.0.1, and I think I've narrowed down the cause. Just to reiterate the troubleshooting steps for "Only 'Overview' or 'Real-time Event Feed' dashboard has data"

-Acceleration is enabled
-Data model is 100% built
-Increasing Time range to All time produces no additional

Here is an example dashboard search which is not populating results for me
=Search=
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename "log.action" as action, "log.app" as app, "log.app:category" as "app:category", "log.content_type" as content_type, "log.dest_name" as dest_name, "log.flags" as flags, "log.vendor_action" as vendor_action, "log." as "*"

=Error shown=
This search has completed and found 2,860,331 matching events in 19.376 seconds. However, the transforming commands in the highlighted portion of the following search:

generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events

When I manually run this search, to look at results from the datamodel. I am noticing the following missing fields
| datamodel pan_firewall search | search *

Missing from Datamodel -- present in Datamodel
log.dest_name -- dest_name
log.app:category -- raw_category
log.content_type -- ??
log.vendor_action -- vendor_action
log.flags -- flags

When I replace all the field names on the left (missing in datamodel) with their present version on the right, and re-run the dashboard search manually... Everything starts working again.

Example "Fixed" search...
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="" GROUPBY _time dest_name raw_category log.app log.action vendor_action | rename "log.action" as action, "log.app" as app, "raw_category" as "app:category", "dest_name" as dest_name, "log." as "*"

Can someone please help me understand what is going on with the datamodel?

panguy · ‎12-22-2017

Thanks for the feedback. The missing fields come from an input lookup through the content packs.

Check out the answer on this post on how to get those fields populated.

https://answers.splunk.com/answers/591456/palo-alto-networks-app-for-splunk-all-activity-das.html

I will look into why they are not coming in pre-populated.

View solution in original post

panguy · ‎12-22-2017

Thanks for the feedback. The missing fields come from an input lookup through the content packs.

Check out the answer on this post on how to get those fields populated.

https://answers.splunk.com/answers/591456/palo-alto-networks-app-for-splunk-all-activity-das.html

I will look into why they are not coming in pre-populated.

dgustafsonBMCM · ‎12-22-2017

EDIT: I updated Panorama to 8.0.6-h3 and rebooted, and the macro is working now. I expect the lookup should be populated on the next scheduled run. Thanks.

Thanks - I figured that was related and had been working on resolving (I also posted https://answers.splunk.com/answers/606458/palo-alto-networks-add-on-for-splunk-601-app-list.html)

I've got my app_list.csv populated now, but when I try to run the manual macro "| pancontentpack threats" I get the following error:

External search command 'pancontentpack' returned error code 2. Script output = "ERROR show -> predefined is unexpected ". threat_list.csv is still empty but some of the dashboards seem to be working better now.

Palo Alto Networks App for Splunk: pan_firewall datamodel issue after upgrading App to 6.0.1

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM