All Apps and Add-ons

Palo Alto Search with action lookup field not working (Splunk 8.0.6 / Palo Alto TA 6.4.0 / Palo Alto App 6.4.0)

Rodelanuit
Explorer

Hello,

I'm currently facing a curious issue on the lookup :

LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action

The lookup seems working (it appears in my interesting fields and i can also see values count).

But, when I try to perform a search like : index=firewall action=allowed, the search returns 0 events after only 1 second. If I do the search with the field vendor_action, it works correctly.

I confirmed the issue is also present with TA 6.2.0.

TA 6.2.0 was working perfectly with Splunk 7.0.3. So i suppose the Splunk upgrade changed something.

Other TA are not impacted by this issue.

Thank you for your help.

Labels (2)
Tags (1)

myck
Engager

I have same problem.

0 Karma

Rodelanuit
Explorer

My issue is : Search with filtered value based on the field lookup doesn't work (index=firewall action=allowed is empty)

Lookup field  "action" works only with in interesting field count or search with table keyword (like index=firewall | table action, vendor_action)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have a lookup that works and you have a search query that works so what is the problem?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

myck
Engager

Hello,

 

Lookup running but when we add action field in search like exemple:

index="toto" sourcetype="pan:threat" action=allowed

The search take 1 second and was empty.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!