Splunk for Palo Alto - Threat Dashboard not popula...

jrseniz · ‎05-08-2015

We are on PAN-OS 6.1.2 and Version 4.1.2 of the Splunk App. All of the other dashboards populate fine, and a cursory search for threat logs returns lots of entries. We just see nothing in the actual threat dashboard. Has anyone else experienced this?

Basic search index=pan_logs sourcetype=pan_threat returns 112k events in last 24 hours. Threat dashboard still blank.

franks59 · ‎07-21-2015

I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat to be:

[pan_threat]
definition = pan_index sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

and pan_threat_all to be:

[pan_threat_all]
definition = pan_index sourcetype="pan_threat"

franks59 · ‎07-21-2015

I had the same question but found that they define what a threat is differently in the Dashboard than in the index/sourcetype.
If you look in macros.conf, you will see that they define pan_threat to be:

[pan_threat]
definition = pan_index sourcetype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")

and pan_threat_all to be:

[pan_threat_all]
definition = pan_index sourcetype="pan_threat"

Splunk for Palo Alto - Threat Dashboard not populating?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life