All Apps and Add-ons

What is causing my Palo Alto logs to extract 100s of meaningless fields?

Glasses
Builder

I followed the Palo Alto Add-on instructions and installed the TA on the receiving HF and my distributed non-clustered indexers.
I am noticing hundreds of parsed and extracted fields that are meaningless, i.e. fields created based on the parsing of a uri... It seems something is telling splunk to parse the logs on commas and equal signs for example.

Has anyone else experienced this? Does anyone know how to fix this issue? I am using the 6.2.0 version of the TA. I also put the app and TA on the SH but that causes a useful field "src" to disappear. After disabling it the src field returned.

It seems like the add-on is mis-configured, but need some advice on how to t-shoot this.

Thank you

0 Karma

PavelP
Motivator

Hello @Glasses,

"fields created based on the parsing of a uri" can be an effect of KV_MODE=auto which is enabled by default and applied at search-time.

Most of Palo Alto sourcetypes (except pan:aperture) don't use kv mode extraction, so you can try to disable it.

Which particular sourcetype you have problem with? pan:traffic?

0 Karma

Glasses
Builder

still waiting on Palo to reply about this, but I am going to try your suggestion... would you disable it on the HF and Indexers?

0 Karma

Glasses
Builder

I am having trouble with Threat

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, the Palo Alto logs are very configurable. Work with your PA admin to ensure the TA is parsing what PA is sending.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Glasses
Builder

The told me they were syslogging all fields threat and system to my HF > IDX... that is all I know.

0 Karma

to4kawa
Ultra Champion

they were syslogging all fields threat and system
Why don't you modify them?

0 Karma

Glasses
Builder

they don't want to, they want me to drop at receiving HF...

0 Karma

to4kawa
Ultra Champion

If you provide props.conf on HF and IDX, maybe transforms.conf on SH too,
we can help you.

0 Karma

Glasses
Builder

Thank you but I am going to open a case, I think there are a lot of abandoned legacy confs - and might be a conflict, although btool check did not find anything

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...