@heathramos yeah this is going to be a fun one. You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with par...
See more...
@heathramos yeah this is going to be a fun one. You've got data model issues, which is way more involved than just fixing a macro. Data models are these complex hierarchical things with parent/child datasets that need to be built and accelerated properly - it's a whole thing. Looking at that search, it's trying to pull from datamodel=pan_firewall with specific node relationships. If that's not set up right (or at all), nothing's going to work. And troubleshooting data models means digging into dataset structures, field mappings, acceleration status - it's honestly not a quick fix. If you need this dashboard working soon and it's important to the business, you might want to just work with Splunk ondemand services. They can sort out your data models properly instead of you spending days figuring out why the acceleration isn't working or why the field extractions are wrong. If you want to try, spend some time in Settings > Data Models, checking what's actually there vs what the dashboard expects. You'll probably end up either rebuilding data models from scratch or rewriting all these tstats searches to use regular SPL. It's more like -audit your entire Palo Alto data ingestion and modeling setup. If this Helps Please Upvote.