I found some of the Web Activity dashboard panels are not being populated. After digging into it a bit, I discovered that the 'log.app:category' field has no values. Digging deeper, I'm not finding that field extraction in the app or the add-on. I am running Splunk 7.0.2, app/addon version 6.1.1. Anyone know how that field is supposed to be extracted or calculated?
Have you configured the Firewall/panorama credentials into Splunk?
I'm not entirely sure what you mean by that, would you mind being a bit more explicit? I am getting events, so it seems like the answer is yes I have configured the firewall credentials. But maybe I am not looking at the same thing you are thinking about.
The app metadata is extracted from the content packs on the Firewall itself. This field does not come down with the logs. Look at "Update App and Threat Metadata from Content Pack " for more information on how this is done.
https://splunk.paloaltonetworks.com/lookups.html
In order to pull the content packs the Firewall needs to be configured with a user that has API access. That user information is then set on the configuration screen from Splunk_TA_paloalto
Take a look at "Firewall/Panorama API Configuration " which explains how to set this up.
https://splunk.paloaltonetworks.com/firewalls-panorama-and-traps.html
I have re-configured the authentication settings and confirmed both saved searches 'Palo Alto Networks - Retrieve ContentPack Apps' and 'Palo Alto Networks - Retrieve ContentPack Threats' are returning results. The resulting lookup tables are populated. But the dashboard is still not populating. When I run '| datamodel pan_firewall search' , I see values for the 'log.app:category' field. But the main search behind the Web Activity dashboard uses '|tstats' and as soon as I add the 'log.app:category' field into the GROUPBY field list, the results go away.