All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Real Time Event Data not showing up. Install used a seperate index for paloalto.

Iwdavies
Path Finder
‎10-31-2018 08:26 AM

PaloAlto Networks app dashboard issue. All dashboards work with the exception of the Realtime Event Feed. When I created my input for paloalo I used udp 514 and a new index for the data (pan_logs). I played with the search string in the various dashboards and found that if I put index=pan_logs at the beginning of the string that it will start pulling the feeds correctly. However, I don't know how to change the string for the dashboards so that they work...

some things to note:

I have already added the no_appending_timestamp = true to the inputs file
time is the same on the splunk server as it is with the palo alto equipment.
I have not added any time zone information in the props.conf file since the time stamps are the same.

Ian

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Iwdavies
Path Finder
‎10-31-2018 08:49 AM

I found the solution to this issue:

I went to the location of the view (D:\Program Files\Splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\realtime_event_feed.xml) and added "index=pan_logs" to the first query string. Saved the file and restarted splunk. Now the Real Event Feed is working fine.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Iwdavies
Path Finder
‎10-31-2018 08:49 AM

I found the solution to this issue:

I went to the location of the view (D:\Program Files\Splunk\etc\apps\SplunkforPaloAltoNetworks\default\data\ui\views\realtime_event_feed.xml) and added "index=pan_logs" to the first query string. Saved the file and restarted splunk. Now the Real Event Feed is working fine.

0 Karma
Reply
Solved! Jump to solution

btorresgil
Builder
‎10-31-2018 08:56 AM

You shouldn't need to add the index to the search. Are you sure you are searching the pan_logs index by default in your user/role settings?

0 Karma
Reply
Solved! Jump to solution

Iwdavies
Path Finder
‎10-31-2018 09:12 AM

That worked as well, so I undid my change and added the pan_logs to the indexes that are searched by default.

0 Karma
Reply
Solved! Jump to solution

btorresgil
Builder
‎10-31-2018 09:14 AM

ok, great to hear, glad it's working.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...