Hello, I am using Palo Alto App for Splunk and its adaptive response feature. We have done some troubleshooting and testing and based on what we have accomplished so far, I have few questions: Commit required According to documents, "The IP is tagged on the firewall immediately, however, it can take up to 60 seconds for the tagged IP addresses to show up in the corresponding Dynamic Address Group in the security policy. This delay is intentional to prevent accidental DoS scenarios." We've waited couple minutes or more but we found that admin has to initiate "commit" for the IP to be included in the Group. This is the command we tried: index=pan_logs sourcetype=pan:threat host=$PA_FIREWALL$ category=malware vendor_action=allowed dest_zone=internal | stats count by src_ip | pantag device="$PA_FIREWALL$" action=add tag="SplunkBlock" ip_field="src_ip" Change is not visible We are getting Palo Alto logs from the device and for config type logs, following custom format is used: $receive_time $admin $host $client $cmd $result $path $before-change-detail $after-change-detail Strangely, we do not see any log related to the IP being added to the tag or to the group. Is this expected behaviour? or are we missing some field in syslog setting? Thanks! ... View more

Hello, I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table. For example, index=* sourcetype=bluecoat | table cs_host user | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* works, but index=* sourcetype=bluecoat | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user gives error saying The lookup table 'threatintel_by_domain.csv' does not exist or is not available. All my custom lookup files work without table, but all the lookups in threatintel does not work without table. I've checked the permission and they are all global so it is not an issue with permission. Any suggestion? ... View more

Hello, We've been having issue with license usage lately where we see sudden spike of eps from multiple host. Recently, I found that there is indextime (eval indextime=_indextime) and used it to compare it with the timestamp (_time). It is not shown in the image above but the initial time for both graphs was exactly 00:00:00 but there is certainly a lag at the end where there is a spike of event count in indextime. So my question is, am I interpreting the graph properly? that the forwarder is pushing logs at certain point instead of streaming it continuously? If so, what could be causing this lag? We have more than 100 devices reporting to our heavy forwarder. Is it too much for heavy forwarder to handle? Or is it the issue with the hardware (memory or CPU) of heavy forwarder or indexer? Again, similar lag is observed over dozens of our hosts which are generating large amount of logs. Thanks in advance! ... View more

Hi, We are sharing multiple dashboards with clients which are automatically refreshing every 5 minutes. The problem is that from time to time, the dashboard doesn't display panels properly as shown below !Is there something wrong with the xml code or is it simply a performance issue? We have added new indexer which should have enhanced the performance of Splunk but we are not experiencing any difference. Is there a query to check the performance degradation before and after? ... View more

Hello I've been using metadata command for many reports and alarms for new host added, eps and reporting status and now I wonder if the results of metadata command is, in fact, reliable. For other searches, I can actually check by looking at the raw log but not metadata. Can anyone give me a direction where I can find how metadata command works? because in search reference pdf, it doesn't describe where it is fetching those firstTime, lastTime and totalCount from. I just want to confirm what I hope is true is actually true before putting myself in trouble by blindly believing in a command I don't fully understand. ... View more

Hello, I've been using the query provided at http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume to get the indexed volume by host and I modified it a little to see the pattern - such as log stoppage. My query is index=_internal group="per_host_thruput" earliest=-3d@d latest=@d| chart eval(round(sum(kb), 2)/1024) over series by date_mday which works fine but I would like to add another field (column to the chart) using eval or eventstats command such as finding the average (avg) or peak volume (max). If I was gathering this information by stats command then it would be easy but the problem is that I need to have at least 3 days of time range to see the pattern. Yes, I can use timechart which works but I have over 200 devices which cannot fit in a row (and this must be shown in a dashboard panel). Currently, my query looks like this series 26 27 28 10.0.0.1 50 48 24 10.0.0.2 4 8 2 10.0.0.3 1 1 ... which I would like to have this series 26 27 28 Description(avg) Description(max) Description 10.0.0.1 50 48 24 xx xx 10.0.0.2 4 8 2 x x 10.0.0.3 1 1 x x Alert ... Can this be done? or can it be done using stats command? The closest I got with stats command is this index=_internal group="per_host_thruput" earliest=-3d@d latest=@d| eval D1 = max(date_mday) | eval D2 = D1-1 | eval D3 = D2-1 |stats sum(kb) by series D1 D2 D3 but it's not giving sum(kb) by date. ... View more