We have the latest version of Splunk for PaloAlto (upgraded a week or two ago) on a Linux system. We are are trying to repair a lot of our dashboards, which have never worked. Originally Splunk was configured to use the main index and we believe that the person who initially set it up tried to get everything working with the main database and failed. Now we have reconfigured so that all PaloAlto data is sent to the pan_log index.
The PAN Overview dashboard works fine. I believe all of the links work as well. The Traffic dashboard does not display any data. The threat dashboard and the system dashboard under console also do not work. The content dashboard appears to be OK. There are other areas that are not working, but I figured I would try to start out with a small list. All of the dashboards that are not working appear to use the search index = summary DataCube = system prefix in the search which I click inspect.
Not really sure how the summary table gets populated so we can fix this, or if that even makes sense that this would be the issue. Any ideas on where I should start on this?
Figured this out. Each role on the server has a list of default indexes to search. My users don't have that setting so we just figured it was something out dated. When we modified the User and Admin roles to include the pan_logs index, everything started working. The answer was in the read me file, but we didn't understand what we were looking at.
Thank You exactly what I was looking for!
Figured this out. Each role on the server has a list of default indexes to search. My users don't have that setting so we just figured it was something out dated. When we modified the User and Admin roles to include the pan_logs index, everything started working. The answer was in the read me file, but we didn't understand what we were looking at.
It may not have been the upgrade that impacted the summary index data. It may be the change we made to send PaloAlto data from the main index to the pan_logs index. Not sure at this point which one caused the issue.
I found another link that suggested the following should be enabled, so I have changed them from disabled to enabled, but this appears to have had no impact on the issue.
SI - PAN - Traffic - DataCube
SI - PAN - Traffic - DataCube 2
SI - PAN - Threat - DataCube
SI - PAN - Threat - DataCube 2
SI - PAN - Web Activity - DataCube
SI - PAN - Web Activity - DataCube2
Something else we have noticed. Prior to the upgrade we were getting data for index=summary DataCube = system... After the upgrade we never saw summary data again. Looks like some type of process that populates the summary index is no longer working.