- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no results in palo alto network app after upgrade to splunk 7.2.1
I've upgraded our Splunk form 7.2.0 to 7.2.1 and now we do not have any results any more in the Palo Alto Networks app.
In the (general) search all data from the Palo Alto is visible, but the dashboards are not filled apart form the 'realtime event feed"
The "snort for splunk" dashboard is still working fine.
Have gone through the trouble shoot steps, but that did not solved the problem.
Any suggestion how to get the data back in the various PA dashboards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i over looked that one, as there doesn't seems to be a build status displayed.
This is what I see in the Datamodel overview:
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Palo Alto Networks Aperture Logs
MODEL
Datasets 6 Events Edit
Permissions Shared in App. Owned by nobody. Edit
ACCELERATION Model is not accelerated.
=-=-=-=-=-=-=-=-
In Operation-Data Model Audit the following error is shown:
"Error in 'DataModelEvaluator': Data model 'pan_endpoint' was not found. "
and the acceleration on the data models " disabled" in red.
In the Event types there is a "pan_endpoint" definition.
We are currently using the free Splunk Entrprise (no licensing alerts or violations) and it seems there is no "Edit-Edit Acceleration" in the data model management page.
Is it an option to disable-remove the PA app and reinstall?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's nothing about 7.2.1 vs 7.2.0 that would cause any difference. But perhaps this upgrade caused the datamodels to rebuild? When you went through the troubleshooting steps, what was the datamodel build status?
