All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with user roles in Palo Alto app

Panssa
New Member
‎03-21-2016 05:02 AM

Problem with user roles in Palo Alto app
I have two different roles, both inherited with user privilegies. Roles are: All_logs and Network_logs
Only difference between those roles are that All_logs have Restrict search terms: * and
Network_logs Restrict search terms: index=pan_logs

And the problem is with Palo Alto Networks app, users who belongs to All_logs role, everything is working fine, but users with Network_logs don't see anything with app, but search "index=pan_logs" works fine.
Why app doesn't show information? For example Threat Dashboard gives "Search produced no results" information under dropdown menus, and all panels give "No results found"

0 Karma
Reply

btorresgil
Builder
‎03-28-2016 08:14 AM

This is more of a question about Splunk than about the App, but I can offer a few suggestions on things to check.

  1. Verify the logs are actually in the pan_logs index. This is not the default if using the new Palo Alto Networks Add-on

  2. Check that the Network_logs role can see the pan_logs index (or the 'All non-internal indexes' settings), and the pan_logs index is in 'Indexes searched by default'.

  3. Instead of using 'Restrict search terms', you can set the role to only see the 'pan_logs' index, which would have the same effect.

Since this is not an App-specific issue, but an issue with Splunk role settings and an index, you can also troubleshoot this with Splunk support by opening a ticket.

0 Karma
Reply

Panssa
New Member
‎04-03-2016 10:29 PM

Thanks for answer!

Some comments:
1. Yes, logs are actually in the pan_logs index
2. Network_logs can see pan_logs index, search index=pan_logs works fine with this role.
3. I made some changes to roles -> no Restrict search term and available index: pan_logs, and now app works, but this is not the solution I want to use. We have other issues, so we need the use 'Restrict search terms'

Splunk Support answered to me that this is app related question.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...