All Apps and Add-ons

Why does parsing not work outside of the Splunk App for Palo Alto Networks?

reswob4
Builder

My question is probably related to the (unanswered) question: http://answers.splunk.com/answers/219615/why-is-the-splunk-for-palo-alto-networks-app-not-p.html

I have a single Palo Alto forwarder from which I am sending the logs to an index (one of two) and then searching the data at the search head. I installed the Palo Alto app straight from the apps.splunk.com and the default has appeared to work just fine until now.

Today I noticed that it appears the parsing is not working properly. If I use the following search:

index=pan_logs sourcetype="pan_traffic"  10.10.10.10 

the search results are parsed correctly with extractions and labels and such, but if I just search for

10.10.10.10 

and I have results from a variety of sources and source types, any results from with sourcetype 'pan_traffic', are NOT parsed at all, do not have any labels and data extracted beyond the very basic syslog parsing:

Selected    host    10.10.10.10     
             source     udp:6514        
             sourcetype     pan_traffic      

Event        eventtype  pan     
             pan_traffic    
             index  pan_logs    
            linecount   1   
            splunk_server   SPLUNK.xxx.xxx  

Time
            _time   2015-07-22T13:36:30.000-04:00
            Default   punct       __::_--.-._,//_::,,,,,//_::,...,...,...,...,__,..\

This makes it hard to correlate the actions of the IP I'm searching for with other events from other sourcetypes.

Any idea what is going on? We need to be able to search a single data point and view the results from all sourcetypes with that data point to get a story of what that data point is doing.

Thanks.

1 Solution

dfronck
Communicator

Answer by hlarimer
"the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app."

Edit SplunkforPaloAltoNetwork/metadata/default.meta and change none to system in props, transforms and lookups.

By default...

### PROPS

[props]
export = none

### TRANSFORMS

[transforms]
export = none

[lookups]
export = none

Taken from http://answers.splunk.com/answers/208987/after-upgrade-to-splunk-621-why-are-fields-no-long.html

View solution in original post

dfronck
Communicator

Answer by hlarimer
"the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app."

Edit SplunkforPaloAltoNetwork/metadata/default.meta and change none to system in props, transforms and lookups.

By default...

### PROPS

[props]
export = none

### TRANSFORMS

[transforms]
export = none

[lookups]
export = none

Taken from http://answers.splunk.com/answers/208987/after-upgrade-to-splunk-621-why-are-fields-no-long.html

reswob4
Builder

Thanks @dfronck

0 Karma

ajmichaelson
Engager

I found you can also edit the SplunkforPaloAltoNetwork/metadata/local.meta file and add these three stanzas:

[props]
export=system

[transforms]
export=system

[lookups]
export=system

I'm guessing that because the default.meta has those specific entries, even though sharing the configurations through the GUI adds a global stanza [], it is not overriding those specific stanzas in the default.meta file.

0 Karma

mmccul
SplunkTrust
SplunkTrust

The app for parsing PAN logs does not share the field extractions. You can use the search category of the app to construct your arbitrary app. Sounds like you are not necessarily searching from within the Palo Alto Networks app.

0 Karma

jnussbaum_splun
Splunk Employee
Splunk Employee

When you search for "index=pan_logs sourcetype="pan_traffic" 10.10.10.10" - what app are you searching under?
When you search for "10.10.10.10" - what app are you searching under?

If you search for "10.10.10.10" under the Palo Alto App's "search" tab w/ verbose mode - what happens?

It could be that the knowledge objects around palo are confined to the app.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...