Splunk Enterprise Security

Palo Alto app Dashboard not showing any data.

amksa
Explorer

Hello Folks,

Please I am having an issue where my PA app is not showing events and I am able to run searches and find some results :

Background : I have moved all the VMs where we have our Splunk servers to different VLAN.
After we did that our PA app is not parsing the data anymore.
1-for example : eventtype=pan this working properly and I can see the logs. the issue is that most of the logs are TRAFFIC logs. Looked for THREAT for example nothing.
2-We updated to the latest app and we can setup the sourcetype= pan:log
our input file :
[monitor:///apps/splunk_logs/panw/E*/panw.log]
sourcetype = pan:log
index = pan_logs
host_segment = 4

ignoreOlderThan = 30d

disabled = false

We can see the sourcetype pan:log in the search results but not the others such as pan:threats, pan:config and so forth.
2-for the inputs file we have a deployment app that we're using and we have it as above.
3-I tried installing the app and the add-on locally and I have created /local/inputs.conf and added same info as above and still nothing is showing.

Please Advise?

Thanks!

0 Karma

BrendanCO
Path Finder

Can you please expound on that update? What does "adding TA" mean?

0 Karma

amksa
Explorer

I have fixed this issue by adding the TA to the HF and indexers all of the ones I have and it worked.

0 Karma

amksa
Explorer

To be more specific, I did run another search : index=pan_logs "vulnerability" and I was able to find THREAT logs as needed. note sure what is missing.

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...