Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Palo Alto Wildfire dashboard is not working

pateriaak
Explorer
‎02-26-2019 11:21 AM

I've recently started ingestion of wildfire events in Palo Alto app. Dashboard "Wildfire Submission" seems broken. I looked into the query forming those panels. One of the query I would like to mention here -
| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.wildfire" """" groupby _time log.rule log.src_ip log.dest_ip log.verdict log.file_name log.file_type log.user log.app log.file_hash log.src_location

Field "file_name" is breaking this query result which is coming from nodename=log.wildfire which in-turn populating from data model pan_firewall. Removing this field will show result count and remaining fields.
Upon looking into the datamodel I see this field as optional and atleast 50% raw events contain field file_name from this sourcetype.
Any lead would be helpful.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 08:30 AM

As this is an optional field, you can remove that from the search, if that would suffice to show results in the dashboard. the other option would be to force 'unknown' for file_name if its null, using local/props.conf. something like

EVAL-file_name=coalesce(file_name,"unknown")

where file_name is the extraction from the actual app/add-on.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-27-2019 08:30 AM

As this is an optional field, you can remove that from the search, if that would suffice to show results in the dashboard. the other option would be to force 'unknown' for file_name if its null, using local/props.conf. something like

EVAL-file_name=coalesce(file_name,"unknown")

where file_name is the extraction from the actual app/add-on.

0 Karma
Reply
Solved! Jump to solution

pateriaak
Explorer
‎02-27-2019 09:11 AM

yes, Like I mentioned removing this field displays results. So I can definitely remove this field. thank you for your input.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...