All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Threat (Searches and Report)

afhussain
Explorer
‎08-05-2013 11:09 AM

hi,

I installed Splunk for Palo Alto Networks app and i can see all the threat, content, wildfire and traffic logs fine. All the dashboard work fine as well. My question is when i click on the drop down menu for Threat and select PAN-Threat-Collect under Searches & Reports, it just comes up with counter on the left hand side and all the other columns are empty. The number increments as I select time but tabulated data is not populated. From the search if I remove "|ts collect namespace=pan_threat", i can see tabulated data but does not summarize the results. Please help.

0 Karma
Reply

afhussain
Explorer
‎08-06-2013 04:43 PM

thanks for your help

0 Karma
Reply

afhussain
Explorer
‎08-06-2013 01:10 PM

Thanks for your prompt reply. I am very new to Splunk so still learning my way. As far as search, it would be useful to see a table view of top N hosts with highest count of malware/spyware/av activity.

0 Karma
Reply

btorresgil
Builder
‎08-06-2013 01:28 PM

This is possible in pie chart format via the Threat Dashboard. You can see the top N hosts on your network and off your network that have shown threat activity like malware/spyware/av, and top N users, too. If you're looking for a table or some specific threat type or field not on the dashboard, you can generate a table via a search like this...

`pan_threat` log_subtype="spyware" | stats count by src_ip | sort -count | head 20

For more info, you can open a new question on this.

0 Karma
Reply

btorresgil
Builder
‎08-05-2013 12:17 PM

That is expected. The searches that end with 'Collect' are specifically for collecting the indexed data for use in the dashboard graphs and tables. They run every 5 minute by default. That's why if you remove the 'collect' command it shows a table, because you're telling it not to collect the data, but display it instead.

These searches are available in case you want to do a collect immediately instead of waiting 5 minutes. However, I understand how this might be confusing. I've considered removing these searches from the menu to prevent this kind of confusion, but that would keep people from being able to do a collection on demand.

Anyone, please let me know in the comments if you think it would be better to remove these collection searches from the menus, or leave them there.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...