The new App, Add-on, and ES are all released now. The following are all compatible and designed to work together: Palo Alto Networks App version 5.0 Palo Alto Networks Add-on version 3.5.1 Splunk Enterprise Security version 4.0 The new Add-on is Splunk_TA_paloalto . The old Add-on called TA_paloalto that came with ES 3.x is deprecated. If upgrading to Palo Alto Networks App version 5.0, please use the upgrade guide: http://pansplunk.readthedocs.org/en/latest/upgrade.html ... View more

In a threat log, the severity refers to the threat itself. This can have a high, low, critical, informational severity level, based on the threat itself. The risk refers to the application that the threat is leveraging. So, for example, if the threat is coming over smtp, that is a risk 5 application (high risk), but maybe the severity of the threat was something benign, so the severity is 'informational'. This example indicates a very minimal severity event that took place on a usually high risk application or protocol. Other log types besides 'threat' (like traffic or url logs) will still have a risk related to the application in those logs, but because there is no threat referenced in these log types, there will not be a severity . The new Palo Alto Networks App version 5.0 and Add-on clarify this distinction by prefixing the field names. The new field names are app:risk and threat:severity . If you decide to upgrade, please use the upgrade guide to migrate to App version 5.0: http://pansplunk.readthedocs.org/en/latest/upgrade.html ... View more

This is almost always caused because when upgrading to version 5.0 of the app, you haven't removed the old lookup tables in the app. Unfortunately, Splunk does not remove lookup tables during upgrades, but the lookup tables have been moved from the App to the Add-on, so they need to be removed from the App. The 5.0 upgrade guide offers more detail on how to remove the lookup tables to correct this issue: http://pansplunk.readthedocs.org/en/latest/upgrade.html ... View more

Hello, if you're missing data from only one dashboard (in this case, Overview Dashboard), it's most likely that dashboard was modified at some point, so you have a version of it in the app's local directory. This means you're using a modified version of the dashboard from an older version of the app, rather than the dashboard from the new version of the app. Check your local directory in the app for any dashboards. They are found in $APP_DIR/local/data/ui/views Delete any XML files you find there that you didn't create yourself. This will remove your customizations to the stock dashboards, but will allow you to use the upgraded dashboards that came with the new version of the app. If you have customizations you want to keep, you can copy those customizations, then copy the new dashboards from default to local and apply the customizations there. If that doesn't fix the problem, check your inputs to verify you are receiving new data. The Overview Dashboard is realtime and shows only fresh data being received now. The other dashboards show historical data. So it's possible a missing or misconfigured data input could cause this problem. UPDATE: Another possible cause is that the pan_logs index is not in the list of Indexes searched by default. I just added a note to the 5.0 upgrade guide under the Index section on how to correct this. It should make your macro modifications unnecessary. Upgrade Guide: http://pansplunk.readthedocs.org/en/latest/upgrade.html#index ... View more

Hello, The app needs to be installed on all searchheads, indexers, and heavy forwarders. Since the sourcetype for the events is pan_log, it means the events are not getting parsed by the app. 9 times out of 10 this is because the logs have been subtly modified by Syslog-NG so the props/transforms cannot recognize them. So... Make sure the app is installed on all necessary Splunk nodes Verify syslog-ng isn't adding any characters to the logs or modifying them in any way Hope that helps! Update: an earlier version of this answer said the sourcetype was pan_logs, but it is pan_log. This has been corrected. (thanks mbonsack) ... View more

Hi lbogle, Data Filtering is different than File Blocking. Data filtering dashboard will only show data from pan_data_filtering , not data from pan_file . ... View more

Most likely your datamodel acceleration is trying to rebuild after all the upgrades. Check the Palo Alto Networks data models to see if the acceleration is 100% built. If it isn't, verify that the percentage is increasing. You can speed up the process of datamodel rebuild by reducing the amount of data that is accelerated in the datamodel acceleration settings. The default is 1 year of data, but you can reduce it. ... View more