All Apps and Add-ons
Highlighted

Trying to run searches in Search and Reporting on PAN logs but getting issues

Path Finder

Error in 'SearchParser': The search specifies a macro 'session' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

| tstats summariesonly=t prestats=t latest(time), values(log.logsubtype), values(log.severity), values(log.app), values(log.user), values(log.threatname), values(log.filename), values(log.filehash), values(log.url), values(log.destname), count FROM datamodel="panfirewall" WHERE (nodename="log.threat" OR nodename="log.wildfire.malicious") log.action="*" GROUPBY sourcetype `session` log.direction log.action
| tstats summariesonly=t prestats=t append=t latest(
time), values(log.logsubtype), values(log.severity), values(log.threatname), values(log.user), count FROM datamodel="panfirewall" WHERE nodename="log.correlation" log.action="*" GROUPBY sourcetype log.serialnumber log.logsubtype log.clientip log.action
| tstats summariesonly=t prestats=t append=t latest(time), values(log.logsubtype), values(log.severity), values(log.filename), values(log.filehash), values(log.user), values(log.threatname), count FROM datamodel="panendpoint" WHERE nodename="log.attacks" log.action="" GROUPBY sourcetype log.logsubtype log.clientip log.action
| tstats summariesonly=t prestats=t append=t latest(time), latest(log.incidentid), values(log.logsubtype), values(log.app), values(log.user), values(log.threatname), values(log.clientip), count FROM datamodel="panaperture" WHERE nodename="log.incident" GROUPBY sourcetype log.threatname log.filename
| fillnull value="" log.clientip log.serverip log.serialnumber log.sessionid log.direction log.action log.filename log.threatname
| stats latest(time) AS _time, latest(log.incidentid) AS log.incidentid, values(log.logsubtype) AS log.logsubtype, values(log.severity) AS log.severity, values(log.app) AS log.app, values(log.user) AS log.user, values(log.threatname) AS log.threatnamevalues, values(log.filename) AS log.filenamevalues, values(log.clientip) AS log.clientipvalues, values(log.filehash) AS log.filehash, values(log.url) AS log.url, values(log.destname) AS log.destname, count BY sourcetype `session` log.direction log.action log.filename log.threatname
| rename log.
AS *
| fillnull value="high" severity
| eval action=if(action=="", "allowed", action)
| eval severity=case(severity=="critical","critical", severity=="high","high", severity=="medium","medium", severity=="low","low", severity=="informational","informational", sourcetype=="pan:aperture","high")
| eval victimip=if(direction=="" OR direction=="client-to-server", if(serverip!="",serverip,clientip), clientip)
| eval file
name=if(filename=="", filenamevalues, filename)
| eval threatname=if(threatname=="", threatnamevalues, threatname)
| eval client
ip=if(clientip=="", clientipvalues, clientip)
| lookup minemeldfeedslookup indicator AS clientip OUTPUT value.autofocustags AS clientautofocustags
| lookup minemeldfeeds
lookup indicator AS serverip OUTPUT value.autofocustags AS serverautofocustags
| lookup minemeldfeedslookup indicator AS filehash OUTPUT value.autofocustags AS fileautofocustags
| lookup minemeldfeeds
lookup indicator AS url OUTPUT value.autofocustags AS urlautofocustags
| lookup minemeldfeeds
lookup indicator AS destname OUTPUT value.autofocustags AS domainautofocustags
| eval autofocustags=mvappend(clientautofocustags,serverautofocustags,fileautofocustags,urlautofocustags,domainautofocustags) | eval timeinseconds=time | eval drilldowntoken=case(sourcetype=="pan:endpoint","endpointevent", sourcetype=="pan:aperture","apertureevent", true(),"networkevent") | search severity=critical action=allowed latest=-5d |table time logsubtype threatname severity action app clientip serverip user filename sessionid serialnumber drilldowntoken victimip timeinseconds autofocustags incidentid sourcetype | eval autofocustags=mvdedup(autofocustags) | sort -_time

I've tried doing

[]
export = system

In both the Splunk TA and Splunk app to no avail - i also acknowledge that it said not to export to system in the $app$/metadata/default.meta

I need these searches to work in search and reporting because i'm building a dashboard with an array of searches from different applications.

0 Karma
Highlighted

Re: Trying to run searches in Search and Reporting on PAN logs but getting issues

Builder

The macros are defined in the Palo Alto Network Add-on. Make sure you have the latest Add-on to match the App. If it still isn't working, you probably have something in a /local directory that is breaking it. Try clearing out your /local directories in the App and Add-on, or delete and re-install them both to clear out custom settings.

0 Karma
Highlighted

Re: Trying to run searches in Search and Reporting on PAN logs but getting issues

Path Finder

I've checked the TA and it's up to date. I've checked the /local directory and there isn't anything in it.

[splunk@server SplunkTApaloalto]$ find ./* -type d -name local
./local
[splunk@server SplunkTApaloalto]$ for h in `find ./* -type d -name local`; do ls -larth $h; done
total 4.0K
-rw------- 1 splunk splunk 21 May 10 11:00 app.conf
drwxr-xr-x 11 splunk splunk 237 May 10 11:00 ..
drwx------ 2 splunk splunk 22 May 10 11:00 .
[splunk@server SplunkTApaloalto]$

0 Karma