Hello All,
I have followed the guide from here - http://pansplunk.readthedocs.org/en/latest/upgrade.html#upgrade-to-app-version-5-0
I recreated the index as pan_logs from the GUI after installing the App
But I am unable to see any Real Time stats on the Overview, surprisingly I can see data in all the other dashboards.
Hello, if you're missing data from only one dashboard (in this case, Overview Dashboard), it's most likely that dashboard was modified at some point, so you have a version of it in the app's local
directory. This means you're using a modified version of the dashboard from an older version of the app, rather than the dashboard from the new version of the app.
Check your local
directory in the app for any dashboards. They are found in $APP_DIR/local/data/ui/views
Delete any XML files you find there that you didn't create yourself. This will remove your customizations to the stock dashboards, but will allow you to use the upgraded dashboards that came with the new version of the app. If you have customizations you want to keep, you can copy those customizations, then copy the new dashboards from default
to local
and apply the customizations there.
If that doesn't fix the problem, check your inputs to verify you are receiving new data. The Overview Dashboard is realtime and shows only fresh data being received now. The other dashboards show historical data. So it's possible a missing or misconfigured data input could cause this problem.
UPDATE: Another possible cause is that the pan_logs
index is not in the list of Indexes searched by default. I just added a note to the 5.0 upgrade guide under the Index section on how to correct this. It should make your macro modifications unnecessary.
Upgrade Guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html#index
Hello, if you're missing data from only one dashboard (in this case, Overview Dashboard), it's most likely that dashboard was modified at some point, so you have a version of it in the app's local
directory. This means you're using a modified version of the dashboard from an older version of the app, rather than the dashboard from the new version of the app.
Check your local
directory in the app for any dashboards. They are found in $APP_DIR/local/data/ui/views
Delete any XML files you find there that you didn't create yourself. This will remove your customizations to the stock dashboards, but will allow you to use the upgraded dashboards that came with the new version of the app. If you have customizations you want to keep, you can copy those customizations, then copy the new dashboards from default
to local
and apply the customizations there.
If that doesn't fix the problem, check your inputs to verify you are receiving new data. The Overview Dashboard is realtime and shows only fresh data being received now. The other dashboards show historical data. So it's possible a missing or misconfigured data input could cause this problem.
UPDATE: Another possible cause is that the pan_logs
index is not in the list of Indexes searched by default. I just added a note to the 5.0 upgrade guide under the Index section on how to correct this. It should make your macro modifications unnecessary.
Upgrade Guide:
http://pansplunk.readthedocs.org/en/latest/upgrade.html#index
I reverted the changes to the macros.conf file and added the pan_logs as a index searched by default and it also resolved the issue.
I have been able to resolve this myself, I looked into the previous default folder before the upgrade and I can see that the macros.conf didn't have any index definitions in them.
Changed from:
pan_logs
macro.[pan_index]
definition = eventtype="pan"
[pan_logs]
definition = eventtype="pan"
[pan_threat]
definition = eventtype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")
[pan_threat_all]
definition = eventtype="pan_threat"
[pan_traffic]
definition = eventtype="pan_traffic"
[pan_system]
definition = eventtype="pan_system"
Changed to:
pan_logs
macro.[pan_index]
definition = index=pan_logs eventtype="pan"
[pan_logs]
definition = index=pan_logs eventtype="pan"
[pan_threat]
definition = pan_logs
eventtype="pan_threat" (log_subtype!="file" AND log_subtype!="url" AND log_subtype!="data" AND log_subtype!="wildfire")
[pan_threat_all]
definition = pan_logs
eventtype="pan_threat"
[pan_traffic]
definition = pan_logs
eventtype="pan_traffic"
[pan_system]
definition = pan_logs
eventtype="pan_system"
You shouldn't need to add index=pan_logs
to these macros, because eventtype="pan"
should cover any Palo Alto Networks logs across all indexes. If it isn't working that way, try adding your pan_logs index as a default search index for your user or role in Splunk. I'd be interested to know why adding index=pan_logs
to the macro really makes a difference in your environment because it usually shouldn't be needed.