Re: Wildfire API Requests seems to be broken

splk · ‎02-20-2019

Hello Team,

I try to setup the Wildfire API Report download.
Prerequesists are met, so API Key is setup, and we get Wildfire Logs through syslog.

While debugging I notice the following safedsearch is triggered:
search = pan_wildfire verdict="malicious" | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=main sourcetype=pan:wildfire_report

https://github.com/PaloAltoNetworks/SplunkforPaloAltoNetworks/blob/639568f065ce026e2554d4b9be04a85b2...

I see two issues, pan_wildfire alias seems not to work without an index, and the script stores the result in the main index, which should be empty.

I am wondering if anybody get this working?
Python.log is shows no entries.

Kind regards

lakshman239 · ‎02-27-2019

Are you using the add-on to collect the logs and the apps?

https://splunkbase.splunk.com/app/491/
https://splunkbase.splunk.com/app/2757/

I have used the add-on and used another index to receive traffic and threat feeds from PaloAlto IPS

Wildfire API Requests seems to be broken

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation