All Apps and Add-ons

Trying to run searches in Search and Reporting on PAN logs but getting issues

Path Finder

Error in 'SearchParser': The search specifies a macro 'session' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

| tstats summariesonly=t prestats=t latest(_time), values(log.log_subtype), values(log.severity), values(, values(log.user), values(log.threat_name), values(log.file_name), values(log.file_hash), values(log.url), values(log.dest_name), count FROM datamodel="pan_firewall" WHERE (nodename="log.threat" OR nodename="log.wildfire.malicious") log.action="" GROUPBY sourcetype `session` log.direction log.action
| tstats summariesonly=t prestats=t append=t latest(_time), values(log.log_subtype), values(log.severity), values(log.threat_name), values(log.user), count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" log.action="
" GROUPBY sourcetype log.serial_number log.log_subtype log.client_ip log.action
| tstats summariesonly=t prestats=t append=t latest(_time), values(log.log_subtype), values(log.severity), values(log.file_name), values(log.file_hash), values(log.user), values(log.threat_name), count FROM datamodel="pan_endpoint" WHERE nodename="log.attacks" log.action="" GROUPBY sourcetype log.log_subtype log.client_ip log.action
| tstats summariesonly=t prestats=t append=t latest(_time), latest(log.incident_id), values(log.log_subtype), values(, values(log.user), values(log.threat_name), values(log.client_ip), count FROM datamodel="pan_aperture" WHERE nodename="log.incident" GROUPBY sourcetype log.threat_name log.file_name
| fillnull value="" log.client_ip log.server_ip log.serial_number log.session_id log.direction log.action log.file_name log.threat_name
| stats latest(_time) AS _time, latest(log.incident_id) AS log.incident_id, values(log.log_subtype) AS log.log_subtype, values(log.severity) AS log.severity, values( AS, values(log.user) AS log.user, values(log.threat_name) AS log.threat_name_values, values(log.file_name) AS log.file_name_values, values(log.client_ip) AS log.client_ip_values, values(log.file_hash) AS log.file_hash, values(log.url) AS log.url, values(log.dest_name) AS log.dest_name, count BY sourcetype `session` log.direction log.action log.file_name log.threat_name
| rename log.
AS *
| fillnull value="high" severity
| eval action=if(action=="", "allowed", action)
| eval severity=case(severity=="critical","critical", severity=="high","high", severity=="medium","medium", severity=="low","low", severity=="informational","informational", sourcetype=="pan:aperture","high")
| eval victim_ip=if(direction=="" OR direction=="client-to-server", if(server_ip!="",server_ip,client_ip), client_ip)
| eval file_name=if(file_name=="", file_name_values, file_name)
| eval threat_name=if(threat_name=="", threat_name_values, threat_name)
| eval client_ip=if(client_ip=="", client_ip_values, client_ip)
| lookup minemeldfeeds_lookup indicator AS client_ip OUTPUT value.autofocus_tags AS client_autofocus_tags
| lookup minemeldfeeds_lookup indicator AS server_ip OUTPUT value.autofocus_tags AS server_autofocus_tags
| lookup minemeldfeeds_lookup indicator AS file_hash OUTPUT value.autofocus_tags AS file_autofocus_tags
| lookup minemeldfeeds_lookup indicator AS url OUTPUT value.autofocus_tags AS url_autofocus_tags
| lookup minemeldfeeds_lookup indicator AS dest_name OUTPUT value.autofocus_tags AS domain_autofocus_tags
| eval autofocus_tags=mvappend(client_autofocus_tags,server_autofocus_tags,file_autofocus_tags,url_autofocus_tags,domain_autofocus_tags) | eval time_in_seconds=_time | eval drilldown_token=case(sourcetype=="pan:endpoint","endpoint_event", sourcetype=="pan:aperture","aperture_event", true(),"network_event") | search severity=critical action=allowed latest=-5d |table _time log_subtype threat_name severity action app client_ip server_ip user file_name session_id serial_number drilldown_token victim_ip time_in_seconds autofocus_tags incident_id sourcetype | eval autofocus_tags=mvdedup(autofocus_tags) | sort -_time

I've tried doing

export = system

In both the Splunk TA and Splunk app to no avail - i also acknowledge that it said not to export to system in the $app$/metadata/default.meta

I need these searches to work in search and reporting because i'm building a dashboard with an array of searches from different applications.

0 Karma


The macros are defined in the Palo Alto Network Add-on. Make sure you have the latest Add-on to match the App. If it still isn't working, you probably have something in a /local directory that is breaking it. Try clearing out your /local directories in the App and Add-on, or delete and re-install them both to clear out custom settings.

0 Karma

Path Finder

I've checked the TA and it's up to date. I've checked the /local directory and there isn't anything in it.

[splunk@server Splunk_TA_paloalto]$ find ./* -type d -name local
[splunk@server Splunk_TA_paloalto]$ for h in `find ./* -type d -name local`; do ls -larth $h; done
total 4.0K
-rw------- 1 splunk splunk 21 May 10 11:00 app.conf
drwxr-xr-x 11 splunk splunk 237 May 10 11:00 ..
drwx------ 2 splunk splunk 22 May 10 11:00 .
[splunk@server Splunk_TA_paloalto]$

0 Karma