Solved: Using a custom index for the Palo Alto logs

mikemuzinich · ‎04-23-2020

I have the Palo Alto Networks and and the Palo Alto Networks Add-on apps installed and the logs are being ingested but nothing appears on the dashboards. Is this likely due to using a custom index?

mikemuzinich · ‎04-24-2020

Please disregard my previous post. The issue was with the macro.

Changed

| pan_tstats count FROM node(log.system) $serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id) | sort -_time

to

| tstats count FROM node(log.system) $serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id) | sort -_time

And the latter worked.

View solution in original post

mikemuzinich · ‎04-24-2020

Please disregard my previous post. The issue was with the macro.

Changed

| pan_tstats count FROM node(log.system) $serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id) | sort -_time

to

| tstats count FROM node(log.system) $serial_number$ $vsys$ $description$ $log_subtype$ $severity$ $event_id$ table(_time log.serial_number log.description log.log_subtype log.severity log.event_id) | sort -_time

And the latter worked.

DalJeanis · ‎04-28-2020

@mikemuzinich - Please mark your code using the code button (101 010) or by leaving four spaces in front of each line of code.

If your problem is solved, please accept your solution so that people will know you got what you needed.

DalJeanis · ‎04-30-2020

Thanks for posting your successful action!

DalJeanis · ‎04-23-2020

It might be.

The very first thing is to make sure you have the ability to see that index. If you have full admin rights, then you probably do. The second thing is to check to see that ingestion is occurring. If you have access to that index, then do this for, say, 24 hours:

 | tstats count where index=foo

If the number is zero, then either it's not being ingested, or you don't have access.

If data is being ingested, and you do have access, then if it's not showing up in a dashboard, either the dashboard doesn't have access, the search is wrong, or there's something else screwed up with the knowledge objects, probably permissions.

So, go to the dashboard, and when nothing comes up, click the little magnifying glass icon to open the search in "search". from that point, take everything off except the stuff before the first pipe. Add | head 10 where that stuff used to be, and run it. If it comes back with data, then add back half the rest of the search and run it again. keep cutting the code in half until you find which line is causing the results to disappear. Usually, at that point, the culprit will be obvious.

For instance, a lookup table may be stale, missing, or have the wrong permissions. Fix that then start over. And so on until your dash is working.

If it turns out that the searches are running against the wrong index, then you'll need to research where that field is set in the Palo Alto app, and get it changed.

If you are making app-level changes, then when you think you are ready to do that, get onto the Splunk Slack channel, probably the #admin subchannel, and talk it through down there to make sure there's nothing else you are forgetting. There are lots of people who have been through that war before you, and will tell you where the land mines are buried.

Best Wishes.

Using a custom index for the Palo Alto logs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life