- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Traffic Dashboard displays no Data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the latest version of Splunk for PaloAlto (upgraded a week or two ago) on a Linux system. We are are trying to repair a lot of our dashboards, which have never worked. Originally Splunk was configured to use the main index and we believe that the person who initially set it up tried to get everything working with the main database and failed. Now we have reconfigured so that all PaloAlto data is sent to the pan_log index.
The PAN Overview dashboard works fine. I believe all of the links work as well. The Traffic dashboard does not display any data. The threat dashboard and the system dashboard under console also do not work. The content dashboard appears to be OK. There are other areas that are not working, but I figured I would try to start out with a small list. All of the dashboards that are not working appear to use the search index = summary DataCube = system prefix in the search which I click inspect.
Not really sure how the summary table gets populated so we can fix this, or if that even makes sense that this would be the issue. Any ideas on where I should start on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this out. Each role on the server has a list of default indexes to search. My users don't have that setting so we just figured it was something out dated. When we modified the User and Admin roles to include the pan_logs index, everything started working. The answer was in the read me file, but we didn't understand what we were looking at.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You exactly what I was looking for!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this out. Each role on the server has a list of default indexes to search. My users don't have that setting so we just figured it was something out dated. When we modified the User and Admin roles to include the pan_logs index, everything started working. The answer was in the read me file, but we didn't understand what we were looking at.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may not have been the upgrade that impacted the summary index data. It may be the change we made to send PaloAlto data from the main index to the pan_logs index. Not sure at this point which one caused the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found another link that suggested the following should be enabled, so I have changed them from disabled to enabled, but this appears to have had no impact on the issue.
SI - PAN - Traffic - DataCube
SI - PAN - Traffic - DataCube 2
SI - PAN - Threat - DataCube
SI - PAN - Threat - DataCube 2
SI - PAN - Web Activity - DataCube
SI - PAN - Web Activity - DataCube2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something else we have noticed. Prior to the upgrade we were getting data for index=summary DataCube = system... After the upgrade we never saw summary data again. Looks like some type of process that populates the summary index is no longer working.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
