We are on PAN-OS 6.1.2 and Version 4.1.2 of the Splunk App. All of the other dashboards populate fine, and a cursory search for threat logs returns lots of entries. We just see nothing in the actual threat dashboard. Has anyone else experienced this?
Basic search index=pan_logs sourcetype=pan_threat returns 112k events in last 24 hours. Threat dashboard still blank.
I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat
to be:
[pan_threat]
definition = pan_index
sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")
and pan_threat_all
to be:
[pan_threat_all]
definition = pan_index
sourcetype="pan_threat"
I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat
to be:
[pan_threat]
definition = pan_index
sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")
and pan_threat_all
to be:
[pan_threat_all]
definition = pan_index
sourcetype="pan_threat"