no results in palo alto network app after upgrade ...

PWV · ‎11-21-2018

I've upgraded our Splunk form 7.2.0 to 7.2.1 and now we do not have any results any more in the Palo Alto Networks app.
In the (general) search all data from the Palo Alto is visible, but the dashboards are not filled apart form the 'realtime event feed"
The "snort for splunk" dashboard is still working fine.
Have gone through the trouble shoot steps, but that did not solved the problem.
Any suggestion how to get the data back in the various PA dashboards

PWV · ‎11-21-2018

i over looked that one, as there doesn't seems to be a build status displayed.

This is what I see in the Datamodel overview:
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Palo Alto Networks Aperture Logs

MODEL
Datasets 6 Events Edit

Permissions Shared in App. Owned by nobody. Edit

ACCELERATION Model is not accelerated.

=-=-=-=-=-=-=-=-

In Operation-Data Model Audit the following error is shown:

"Error in 'DataModelEvaluator': Data model 'pan_endpoint' was not found. "
and the acceleration on the data models " disabled" in red.

In the Event types there is a "pan_endpoint" definition.

We are currently using the free Splunk Entrprise (no licensing alerts or violations) and it seems there is no "Edit-Edit Acceleration" in the data model management page.

Is it an option to disable-remove the PA app and reinstall?

btorresgil · ‎11-21-2018

There's nothing about 7.2.1 vs 7.2.0 that would cause any difference. But perhaps this upgrade caused the datamodels to rebuild? When you went through the troubleshooting steps, what was the datamodel build status?

no results in palo alto network app after upgrade to splunk 7.2.1

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life