I recall we had this issue last time during the POC for PAN, but I don’t recall what the fix was. I also disabled Splunk Enterprise Security to see if there was some sort of resource conflict but there appeared not to be. When I checked the Palo Alto Networks Logs Data Models and then checked the Pivots and tried to build a table, I received the following errors: [lab-splunk] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search [splunk-index-ap] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search [splunk-index-eu] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search [splunk-index-sj] The search for datamodel 'pan_logs' failed to parse, cannot get indexes to search If I ran a Pivot in “Network Traffic” I received no errors. I also followed the below solution with no change in status. http://answers.splunk.com/answers/138840/only-the-overview-dashboard-has-data-pan-app-v4-1-1-splunk-v6-1-1.html with no change in status Palo Alto Networks Logs This datamodel represents all the syslogs produced by Palo Alto Networks devices. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated. MODEL Objects 17 Events Edit Permissions Shared in App. Owned by nobody. Edit ACCELERATION Rebuild Update Edit Status Building Access Count 0. Last Access: 1969-12-31T16:00:00-08:00 Size on Disk 0.00MB Summary Range 31536000 Buckets 0 Waited a couple hours, restarted Splunk search head. Tried switching between PAN_index and PAN_logs per the instructions with no change in status. PAN Logs are otherwise searchable and are showing up correctly it appears. Clocks between PAN FW's and Splunk app are within minutes of one another. Configured PAN App using these instructions: https://live.paloaltonetworks.com/docs/DOC-6593 ... View more

Hello Splunkers. I have the below search/subsearch which are working fine by themselves, but when I try to join them to create a 'master' list, I suddenly lose events. The main search returns approximately 9.3K events/hostnames and the sub search returns approx 11.8K hostnames. I'm expecting that joining them would return a number of hostnames, somewhere down the middle but I only get a little over 4K in return. What am I doing wrong? index=asset_db source="/var/asset_database/fullpull.csv" "System Name"=* NOT "Purpose2"=Farm | convert timeformat="%m/%d/%Y" mktime("Last Audit") as last_audit_time | eval timer=now()-(90*24*60*60) | where last_audit_time>timer | rename "OS Name" as OS | rename "System Name" AS hostname | eval hostname=lower(hostname) | join hostname [search index=assets source="/scratch/cadence_assets/AD-host-report.CSV" earliest=-90d@d latest=-0d@d Name=* "Operating System"=* | rename "Operating System" AS OS | rename Name AS hostname | eval hostname=lower(hostname) | fields hostname,OS] Thanks! ... View more

Hello Splunkers, I have some successful searches that are producing accurate numbers but I am trying to put them together so that I take the results of a nested sub search, remove them from the sub search and then join the results of the sub search to the main search. The problem is that I don't know how to use or otherwise achieve the equivalent of a NOT [search index=...... I know you need to do a join or append to get the contents of a sub search talking to the search 'above' it but is there a way to negate, subtract or do a NOT | join [search index=.... Can I add parentheses to move past this or what is the way to achieve what I am trying to do? Thanks. ... View more

Hello Splunkers, I have a search where I have two indexes from two different indexed .csv files. I have 3 seperate searches that seem to be working okay but I may be having trouble with the format of nesting the sub searches. Essentially I have two asset indexes in two different formats. One has a set of hostnames I can identify with attributes that I'd like to use to help identify and exclude said hostnames from the main search. This seems to be working successfully, however, I want to also join and dedup those two databases to help form up a master asset list. Here is what I have so far (index=asset_db source="/var/asset_database/fullpull.csv" NOT "Purpose2"=*Farm* "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Last Audit"=*) | convert timeformat="%m/%d/%Y" mktime("Last Audit") as last_audit_time | eval timer=now()-(90*24*60*60) | where last_audit_time>timer [search index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d NOT CN=*} NOT [search index=asset_db source="/var/asset_database/fullpull.csv" "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS CN | table CN] | rename CN as hostname | table hostname] | eval hostname=lower(hostname) | table hostname What am I doing wrong here? Thanks! ... View more

Hello Splunkers, I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists. I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both. Here is the search that identifies the list of hostnames from index A: index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname search for index B which successfully returns a list of hostnames: index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname How do I get index B search to "see" and exclude the search from index A? Thank you very much for any assistance. ... View more

Hello Splunkers, I've got a search built thats working properly but I'm not able to get the events with a particular blank field excluded. In particular, I'm trying to exclude events that have a blank System Name field. I was trying to do it thusly: search | where isnull(System Name) Is that wrong? Thanks, ... View more

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default. Found the following information in the _local index but am not sure what it means: 2014-09-09 09:59:50,167 ERROR RadiusAuthRestHandler - Exception generated while performing edit Traceback (most recent call last): File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 546, in handleEdit cleaned_params = RadiusAuthRestHandler.checkConf(new_settings, name, confInfo, existing_settings=existing_settings) File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 639, in checkConf validator.validate( stanza, cleaned_params, existing_settings ) File "/scratch/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 164, in validate raise admin.ArgValidationException("Unable to validate credentials against the server '%s' for user '%s'" % ( values['server'], values['test_username'])) ArgValidationException: Unable to validate credentials against the server 'srv-aaa01sj.cadence.com' for user 'lbogle' ... View more