- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is causing my Palo Alto logs to extract 100s of meaningless fields?
I followed the Palo Alto Add-on instructions and installed the TA on the receiving HF and my distributed non-clustered indexers.
I am noticing hundreds of parsed and extracted fields that are meaningless, i.e. fields created based on the parsing of a uri... It seems something is telling splunk to parse the logs on commas and equal signs for example.
Has anyone else experienced this? Does anyone know how to fix this issue? I am using the 6.2.0 version of the TA. I also put the app and TA on the SH but that causes a useful field "src" to disappear. After disabling it the src field returned.
It seems like the add-on is mis-configured, but need some advice on how to t-shoot this.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Glasses,
"fields created based on the parsing of a uri" can be an effect of KV_MODE=auto which is enabled by default and applied at search-time.
Most of Palo Alto sourcetypes (except pan:aperture) don't use kv mode extraction, so you can try to disable it.
Which particular sourcetype you have problem with? pan:traffic?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
still waiting on Palo to reply about this, but I am going to try your suggestion... would you disable it on the HF and Indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having trouble with Threat
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I understand it, the Palo Alto logs are very configurable. Work with your PA admin to ensure the TA is parsing what PA is sending.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The told me they were syslogging all fields threat and system to my HF > IDX... that is all I know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they were syslogging all fields threat and system
Why don't you modify them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they don't want to, they want me to drop at receiving HF...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you provide props.conf on HF and IDX, maybe transforms.conf on SH too,
we can help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you but I am going to open a case, I think there are a lot of abandoned legacy confs - and might be a conflict, although btool check did not find anything
