All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Threat Dashboard blank after upgrading the Palo Alto Networks App for Splunk from 3.x to 5.0.1?

itreghenssler
Explorer
‎03-31-2016 04:33 PM

Using Splunk 6.2
Upgraded the Palo Alto Networks App for Splunk from 3.x (no TA installed) to 5.0.1 and after waiting for the data models to update to 100%, all of the Content dashboards are populating, but nothing under Threat - all of the dashboard objects show the grey warning triangle and 'tstats' Additionally, within the overview dashboard, the EventTypes panel is blank (no warning, but no data) and the Applications by Destination IP Location shows nothing, where prior it did show locations.

Prior to the upgrade all were working without issue for over a year.

I followed the steps in the upgrade guide and under troubleshooting. Created the inputs.conf file in the correct location for the PA App, deleted the lookups folder from the SplunkforPaloAltoNetworks folder (all default), verified that the data is flowing (as indicated by the Content dashboard and I can view/search the log data).

What did I miss?

0 Karma
Reply

itreghenssler
Explorer
‎04-05-2016 09:34 AM

I found the issue with the Threat Dashboard:
This was the default search string in the panels:

| `tstats' count FROM...

changing that to:

| `pan_tstats' count FROM...

There are several other panels where the sourcetype or field names needed to be changed. For example dst_ip is now dest_ip.

Resolved the issue with the panels in that view.

I still have not figured out the fix for Threat Details panels. If anyone knows the proper syntax for those, any help appreciated.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...