Re: Palo Alto Search with action lookup field not ...

Rodelanuit · ‎10-05-2020

Hello,

I'm currently facing a curious issue on the lookup :

LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action

The lookup seems working (it appears in my interesting fields and i can also see values count).

But, when I try to perform a search like : index=firewall action=allowed, the search returns 0 events after only 1 second. If I do the search with the field vendor_action, it works correctly.

I confirmed the issue is also present with TA 6.2.0.

TA 6.2.0 was working perfectly with Splunk 7.0.3. So i suppose the Splunk upgrade changed something.

Other TA are not impacted by this issue.

Thank you for your help.

myck · ‎10-05-2020

I have same problem.

Rodelanuit · ‎10-05-2020

My issue is : Search with filtered value based on the field lookup doesn't work (index=firewall action=allowed is empty)

Lookup field "action" works only with in interesting field count or search with table keyword (like index=firewall | table action, vendor_action)

richgalloway · ‎10-05-2020

You have a lookup that works and you have a search query that works so what is the problem?

---
If this reply helps you, Karma would be appreciated.

myck · ‎10-05-2020

Hello,

Lookup running but when we add action field in search like exemple:

index="toto" sourcetype="pan:threat" action=allowed

The search take 1 second and was empty.

Palo Alto Search with action lookup field not working (Splunk 8.0.6 / Palo Alto TA 6.4.0 / Palo Alto App 6.4.0)

search

upgrade

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor