Solved: Splunk for PaloAlto after upgrading is not working

josephrehling · ‎02-07-2013

We have been using Splunk for PaloAlto for a a few years now and recently upgraded to the latest version. Since upgrading most of the application appears to have stopped working. After reading the readme, I have a number of questions:

Can someone post a link to the Splunk for AMMAP maps application. We only have Google maps installed and would be happy to stay with that, but we are not sure if this is why no data is being displayed and want to try adding that application before we start tinkering with other parts of the system.
We noticed that in the read me it calls for creating a different index for Palo Alto. We never did that and have over 2 billion entries already in our index. Since that wasn't required for operation in the past, are we going to have to do that now? All of our logs are in main. We identify PAN_LOGS by pushing logs from the PaloAlto to a dedicated port that marks the log Source Type. From what I can see, the app now requires the index to be named PAN_LOGS. Can we reconfigure the application to use main so we don't need to figure out how to move 2 billion plus existing logs?

While writting this we have found some information about inputs.conf that we are going to try to figure out. If we are headed in the wrong direction, we would appreciate a point to the right way to fix this.

monzy · ‎02-07-2013

The ammap app is here: http://splunk-base.splunk.com/apps/22372/splunk-for-use-with-ammap-flash-maps

Your views arent working because of the index name being different. You can edit $SPLUNK_HOME/etc/apps/SplunkForPaloAloNetworks/local/macros.conf. Create a stanza
[pan_index]
definition = index=main

Restart Splunk. This will fix all views except for the main landing page (pan_overview_switcher_maps) . It is generally a god idea to keep indexes separated but not necessary.

To fix the main dashboard, go to manager, user interface, views, and edit the pan_overview_switcher_maps view. Replace wherever it says index=pan_logs with 'pan_index' (enclosed in back tick not a single quote).

Cheers,

Monzy

View solution in original post

josephrehling · ‎02-07-2013

I took what I will refer to as the easy way out... I directed the PAN traffic to the pan_logs index, rolled back all of my changes and will just except that the old logs are not going to be accessible from the PAN console. Not my favorite answer, but if I hack my way through a bunch of changes that make me a unique environment, every time I do an update I am going to run the risk that the problems will reoccur. Hopefully now the issues will be resolved. I wish I could migrate the 2 billion + existing entries that we have, but from what I read that is not going to be very practical. In a few years, no one will care that I changed the index...

monzy · ‎02-07-2013

please see above correction. the macro name should be pan_index and not base_index. as for the view, i registered the inconsistency as a bug; sometime ago. the current dev version for the app, to be released in a few days, will have pan_index associated with dashboards. so users can change idnexes as their business requires.

monzy · ‎02-07-2013

The ammap app is here: http://splunk-base.splunk.com/apps/22372/splunk-for-use-with-ammap-flash-maps

Your views arent working because of the index name being different. You can edit $SPLUNK_HOME/etc/apps/SplunkForPaloAloNetworks/local/macros.conf. Create a stanza
[pan_index]
definition = index=main

Restart Splunk. This will fix all views except for the main landing page (pan_overview_switcher_maps) . It is generally a god idea to keep indexes separated but not necessary.

To fix the main dashboard, go to manager, user interface, views, and edit the pan_overview_switcher_maps view. Replace wherever it says index=pan_logs with 'pan_index' (enclosed in back tick not a single quote).

Cheers,

Monzy

josephrehling · ‎02-12-2013

That was probably the issue, but I got impatient and just changed the index. I will submit another post for some other issues I am having. Greatly appreciate your response.

monzy · ‎02-07-2013

i have changed my response to include the correct macro name for future readers who may not read this far down.

monzy · ‎02-07-2013

there is an error in my response. the macro being used is pan_index and not base_index. the macro stanza should be:

[pan_index]
definition = index=main

and the view searches should then include pan_index instead of index=pan_logs

josephrehling · ‎02-07-2013

Also... When I modified the macros.conf I just pasted what you gave me at the top. I didn't look to see if the entry was already there.

josephrehling · ‎02-07-2013

So I modified Macros and restarted and then went into the view and modified six locations as specified. When I go into the Traffic \ Searches & Reports it is still looking for the wrong location.

It is has been about ten minutes and I don't think the main dashboard is working. Google is coming up and displaying the map, but no data is being displayed in any of the fields

This is an example of what I see in the reports.
index=pan_logs sourcetype=pan_traffic ....

josephrehling · ‎02-07-2013

So looked at the inputs.conf.sample file and modified it as follows:
index=main
#connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true

I then saved it as inputs.conf in the same folder as inputs.conf.sample and restarted the splunk service. That appears to have had no effect...

Splunk for PaloAlto after upgrading is not working

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!