All Apps and Add-ons

What is causing my Palo Alto logs to extract 100s of meaningless fields?

Glasses
Builder

I followed the Palo Alto Add-on instructions and installed the TA on the receiving HF and my distributed non-clustered indexers.
I am noticing hundreds of parsed and extracted fields that are meaningless, i.e. fields created based on the parsing of a uri... It seems something is telling splunk to parse the logs on commas and equal signs for example.

Has anyone else experienced this? Does anyone know how to fix this issue? I am using the 6.2.0 version of the TA. I also put the app and TA on the SH but that causes a useful field "src" to disappear. After disabling it the src field returned.

It seems like the add-on is mis-configured, but need some advice on how to t-shoot this.

Thank you

0 Karma

PavelP
Motivator

Hello @Glasses,

"fields created based on the parsing of a uri" can be an effect of KV_MODE=auto which is enabled by default and applied at search-time.

Most of Palo Alto sourcetypes (except pan:aperture) don't use kv mode extraction, so you can try to disable it.

Which particular sourcetype you have problem with? pan:traffic?

0 Karma

Glasses
Builder

still waiting on Palo to reply about this, but I am going to try your suggestion... would you disable it on the HF and Indexers?

0 Karma

Glasses
Builder

I am having trouble with Threat

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I understand it, the Palo Alto logs are very configurable. Work with your PA admin to ensure the TA is parsing what PA is sending.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Glasses
Builder

The told me they were syslogging all fields threat and system to my HF > IDX... that is all I know.

0 Karma

to4kawa
Ultra Champion

they were syslogging all fields threat and system
Why don't you modify them?

0 Karma

Glasses
Builder

they don't want to, they want me to drop at receiving HF...

0 Karma

to4kawa
Ultra Champion

If you provide props.conf on HF and IDX, maybe transforms.conf on SH too,
we can help you.

0 Karma

Glasses
Builder

Thank you but I am going to open a case, I think there are a lot of abandoned legacy confs - and might be a conflict, although btool check did not find anything

0 Karma
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...