All Apps and Add-ons

Splunk for Palo Alto Networks: Searching for users using the most bandwidth, how is a user classified as "unknown"?

Path Finder

I'm trying to figure out who's using the most bandwidth today doing what, via:

<pre>index=pan_logs earliest=-0d@d | stats sum(elapsed_time) as duration, sum(bytes) as sbytes by user, app | table user app sbytes duration</pre>

I always get a user named "unknown" as the top user.
How does something get classified as "unknown" in the Palo Alto app?

Communicator

unknown means that USERID either is disabled or PA does not know what the user is. (That means that the PA itself should show you the same information - don't think its a Splunk-issue)

0 Karma

Communicator

When i run the query I get users listed.

Try this:

 index=pan_logs user="*" | top 20000 user

Run it "Last 60 minutes" or something

This returns thousands of users for me - what does it list for you?

0 Karma

Path Finder

Top user (75%) is "unknown" for the past hour, using your query above.
Many other specific users listed below that.

If I drill down on "unknown", I can get the client_ip, and based on the timestamp, I can find out who they really are.
But why is PAN logging "unknown"?

0 Karma

Communicator

Check the PA Box Logs - if it logs it the same way this cannot be solved within Splunk.

0 Karma

Path Finder

I'm a little concerned that the biggest bandwidth user for the various categories is always "unknown" and not some specific individual.
Could someone else running the Palo Alto Networks app run the above query and let me know if this "unknown" user is a common phenomenon there too?
If it isn't, I might have to speak to the PAN implementers here to see why it is logging "unknown".
Thanks.

0 Karma