All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto - Threat Dashboard not populating?

jrseniz
Engager
‎05-08-2015 05:24 AM

We are on PAN-OS 6.1.2 and Version 4.1.2 of the Splunk App. All of the other dashboards populate fine, and a cursory search for threat logs returns lots of entries. We just see nothing in the actual threat dashboard. Has anyone else experienced this?

Basic search index=pan_logs sourcetype=pan_threat returns 112k events in last 24 hours. Threat dashboard still blank.

Reply

franks59
Explorer
‎07-21-2015 05:11 AM

I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat to be:

[pan_threat]
definition = pan_index sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

and pan_threat_all to be:

[pan_threat_all]
definition = pan_index sourcetype="pan_threat"

0 Karma
Reply

franks59
Explorer
‎07-21-2015 05:10 AM

I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat to be:

[pan_threat]
definition = pan_index sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

and pan_threat_all to be:

[pan_threat_all]
definition = pan_index sourcetype="pan_threat"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...