cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
scott778
Explorer
Member since: ‎04-30-2014
‎06-05-2020
Community Statistics
Posts 17
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎04-30-2014
Activity Feed
View All

Re: Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-10-2018 08:40 AM
‎01-10-2018 08:40 AM
index=pan_logs | rex "(?CONFIG)" | search config=* No results returned over last 30 days. ... View more

Re: Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-10-2018 08:05 AM
‎01-10-2018 08:05 AM
No results are returned. I believe this is related to the error when parsing (i think) the props.config for sourcetypes? This error in _internal concerns me. Maybe splunk is choking on pan:threat and so stops processing other Evals? CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE. Here's a search over the last 30 days of sourctypes - Search - index=pan_logs | dedup sourcetype | table sourcetype sourcetype pan:traffic pan:system ... View more

Re: Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-08-2018 12:13 PM
‎01-08-2018 12:13 PM
This is my inputs.conf - [udp://XXX] index = pan_logs sourcetype = pan:log no_appending_timestamp = true It's definitely adjust some stuff because I get events tagged with pan:traffic which is not defined in any inputs.conf. sourcetype pan:traffic ... View more

Re: Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-08-2018 09:34 AM
‎01-08-2018 09:34 AM
Results over last 30 days. We've been doing a bunch of commits recently so I know I should be seeing some pan_config pan:system pan:traffic ... View more

Re: Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-05-2018 01:18 PM
‎01-05-2018 01:18 PM
Confirmed, my account is a member of the role 'admin' Role admin has "all non-internal indexes' in default search I confirm this by searching on eventtype=pan in the search app and results are returned. ... View more

Palo Alto Networks Empty Dashboards

by in All Apps and Add-ons
‎01-05-2018 11:21 AM
‎01-05-2018 11:21 AM
I've read through the documentation, followed all the steps but still cannot get dashboards to populate in Splunk for the Palo Alto App. Versions - Splunk - 7.0.1 Palo Alto Networks - 6.0.1 Palo Alto Networks Add-On - 6.0.1 Inputs.conf - [udp://XXX] index = pan_logs sourcetype = pan:log no_appending_timestamp = true Data Model Acelleration is at 100% - There was an error preventing the data models from functioning 100%, related to system not having proper NTFS access. eventtype=pan - returns results eventtype=pan_config - no results According to Documentation we should check the timestamp for upd which we've done, We are forwarding straight from the Palo Alto Firewalls with default format. We only have one splunk server running all roles. I've found this in the _internal index - CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE. I've no other ideas why data isn't being tagged properly. Any and all help is appreciated. ... View more

Re: How to migrate data from the "main" index on S...

by in Installation
‎11-30-2016 12:42 PM
‎11-30-2016 12:42 PM
Yes, we are licensed for 10gb a day and only hitting about 7. I'm not sure what you mean by re-indexing the data. How can I accomplish that? ... View more

Re: How to migrate data from the "main" index on S...

by in Installation
‎11-30-2016 07:00 AM
‎11-30-2016 07:00 AM
Do I need to check for conflicts outside of the index I'm trying to place the db folders in? If not, then yes I checked for conflicts. ... View more

Re: How to migrate data from the "main" index on S...

by in Installation
‎11-29-2016 02:28 PM
‎11-29-2016 02:28 PM
I've copied the db_ folders into the index networking but still cannot search the data. ... View more

Re: How to migrate data from the "main" index on S...

by in Installation
‎11-29-2016 02:26 PM
‎11-29-2016 02:26 PM
I've copied the db_* folders from db into the index networking on server A but still cannot search the data. ... View more

How to migrate data from the "main" index on Splun...

by in Installation
‎11-29-2016 02:13 PM
‎11-29-2016 02:13 PM
We've recently combined with another company that had a Splunk installation (B), just one server collecting network device info into the main index. We have a Splunk installation (A) which has multiple indexes, including one for networking. I'd like to take all the data from the main index on B and move it into the networking index on A. Both machines are Windows 2012 R2. Those network devices that were reporting to instance B have been redirected to instance A so server B is receiving no new data. I attempted moving the db_* folders from ./main/db on server B to the index named networking on server A and restarted the splunkd service, but still cannot search this data. I've searched Splunk Answers and found many topics about moving to another index of the same name, but not to an index with a different name. Any help you can provide would be much appreciated. ... View more

Re: Data Retention - can we copy frozendb to tape?

by in Getting Data In
‎10-28-2015 02:17 PM
‎10-28-2015 02:17 PM
How could we restore that data? If we had to pull a tape back from 2 years ago could I point a new index at the frozendb folder from 2 years ago and run queries? ... View more

Data Retention - can we copy frozendb to tape?

by in Getting Data In
‎10-28-2015 12:19 PM
‎10-28-2015 12:19 PM
Is it possible to archive frozendbs to tape and pull that data back for splunk to read at a later date? For example, I'd like to do something like this. All data has to be retained for 3 years. Warm / Hot Dbs = 3 months frozendb = 1 year Frozendb is backed up to tape once per year. ... View more

Re: Palo Alto App no_appending_timestamp problem

by in All Apps and Add-ons
‎11-06-2014 06:43 AM
1 Karma
‎11-06-2014 06:43 AM
1 Karma
Thank you for that confirmation. I actually came across that same conclusion. The TCP stanza does not utilize the no_appending_timestamp option. I reached out to the developer of the palo alto splunk application and he is currently reviewing the issue. ... View more

Re: Palo Alto App no_appending_timestamp problem

by in All Apps and Add-ons
‎10-27-2014 01:50 PM
‎10-27-2014 01:50 PM
bump I'm receiving the same error regarding the incorrect stanza line, any resolution? ... View more

Re: Proper input.conf setup - Apache Tomcat

by in Getting Data In
‎05-13-2014 06:55 AM
‎05-13-2014 06:55 AM
Thank you very much, this did the trick. ... View more

Proper input.conf setup - Apache Tomcat

by in Getting Data In
‎05-12-2014 01:22 PM
‎05-12-2014 01:22 PM
Hello, I'm trying to find out why only one sourcetype (the last one) is being monitored. Could someone please tell me how to configure input.conf? I'd like to capture some apache/tomcat logs and set different sourcetypes. When I let splunk automatically set sourcetypes it appends the dates to the sourcetype field. [default] host = NDV-MWWEB01 [monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs] disabled = false index = test whitelist = catalina.* sourcetype = catalina [monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs] disabled = false index = test whitelist = localhost.(.*) sourcetype = localhostApache [monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs] disabled = false index = test whitelist = localhost_(.*) sourcetype = localhostApacheAccess [monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs] disabled = false index = test whitelist = tomcat7.0.42-stderr(.*) sourcetype = stderrApache [monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs] disabled = false index = test whitelist = tomcat7.0.42-stdout(.*) sourcetype = stdoutApache ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All
Top