Morning everyone, Been having a rough go trying to get some usable web usage reports out of splunk for my Palo Alto traffic.  Specifically trying to do what i think is a semi simple thing.  My test is going to a website like amazon and then navigating around on the site looking at different products (robotic vacuums in my case).  Then i look at the traffic in splunk which reports back as giving me only say "2 Hits".   Palo reports the following:   I set my policy in palo to log at session start.    My search in splunk is this: index="pan_firewall" log_subtype="url" chris.myers dest_zone="L3-Untrust" url="www.*" user!="*solarwinds*" user!="*service*" user!=unknown http_category!="work-related" http_category!="health-and-medicine" http_category!="government" http_category!="web-advertisements" url!="ad.*" url!="www.abuseipdb.com*" url!="www.userbenchmark.com*" url!="www.xboxab.com*" url!="www.microsoft.com*" url!="www.content.shi.com*" url!="www.shi.com*" url!="www.workday.com*" url!="www.patientfirst.visualstudio.com*" url!="www.malwarebytes.com*" url!="www.globalknowledge.com*" url!="www.jetbrains.com*" url!="www.dnnsoftware.com*" url!="www.juniper.net*" url!="www.intel.com*" url!="www.cpug.org*" url!="www.vmware.com*" url!="www.csirt.org*" url!="ads.*" url!="www.vwc.state.va.us*" url!="www.atlantichealth.org*" url!="www.uhcprovider.com*" url!="www.checkpoint.com*" url!=*rumiview.com* url!="*bing.com*" url!="www.facebook.com/plugins/*" url!="www.codechef.com*" url!="www.splunk.com*" url!="www.aetna.com*" url!="www.radmd.com*" url!="www.humanamilitary.com*" url!="www.myamerigroup.com*" url!="www.providerportal.com*" url!="www.vcuhealth.org*" url!="www.workcomp.virginia.gov*" url!="www.cisco.com*" url!="www.va.gov*" url!="www.wcc.state.md.us*" url!=www.kraken.com* url!="www.medicaid.gov*" url!="www.scc.virginia.gov*" url!="www.dli.pa.gov*" url!="www.maryland.gov*" url!="www.hscrc.state.md.us*" url!="www.msftncsi.com*" url!="*.msftconnecttest.com*" url!="*.msftconnect.com*" url!="*.manageengine.com*" url!="*.ibm.com*" url!="*.paloaltonetworks.com*" url!="www.nowinstock.net*" url!="*.centurylink.com*" url!="*.static-cisco.com*" url!="*.arin.net*" url!="www.facebook.com/connect/*" url!="www.facebook.com/third_party/urlgen_redirector/*" url!="*windstreamonline.com*" url!=*google* dest_hostname!=*fe2.update.microsoft.com dest_hostname!=crl.microsoft.com url!=*windowsupdate* url!="www.telecommandsvc*" url!="www.redditstatic*" url!="www.redditmedia*" url!="www.gravatar.*" dest_hostname!=*icloud.com dest_hostname!=*gstatic.com url!=*.js url!=*.jpg url!=*.png url!=*.gif url!=*.svg url!=*.jpeg url!=*.css | where isnull(referrer) | top limit=25 dest_hostname | rename dest_hostname as URL | table URL, count And my result is this: What am i missing, or what am i not understanding.  I would expect for every page i visit for every vacuum i look at to be 1 hit.  But my understanding has to be wrong as 1, i went and viewed over 15 individual vacuums, so different product urls.  Palo doesn't even seem log it.  I am expecting to see something like this listed,  https://www.amazon.com/Kokaidia-Navigation-Suction-Robotic-Cleaner/dp/B0DFT3B813/?_encoding=UTF8&pd_rd_w=7SKOA&content-id=amzn1.sym.7768b967-1ffc-4782-be79-a66c5b1b9899&pf_rd_p=7768b967-1ffc-4782-be79-a66c5b1b9899&pf_rd_r=KFZVRKBXWB2AZG55ENKY&pd_rd_wg=CjTy7&pd_rd_r=25c15f6d-78b3-46dc-8484-285dfeef98e2&ref_=pd_hp_d_atf_dealz_cs   I also looked at our Palo Alto application that is installed in splunk, but it is just throwing a java script error and providing no data output so i have to visit that later.  So not even trying to pull that into the conversation unless someone were to say, that is how i should be looking at it and my search queries are the problem.   I know someone has experience with this and welcome any and all input.  I am banging my head against the wall and open to anything. ... View more

I am working on a dashboard for my help desk and would like to embed a website, https://status.twilio.com/ so that staff can easily view from the vendor if they are experiencing outages all from a single pane of glass.  I can see in the old versions of splunk with html dashboards how to do this but not with the new version of dashboards and am not having much luck trying to figure this out.  I attempted the below via a drill down but clearly not getting what I want, which is the content to hopefully display as an embeded page within the dashboard.  Granted my drill down doesnt work either.  Below is my code for the panel itself where i am trying to get this working.  Not being a coder and not familiar with XML i realize i am asking for quite a bit of help.  Any insight anyone can offer is greatly appreciated.   {     "type": "splunk.table",     "options": {         "count": 100,         "dataOverlayMode": "none",         "drilldown": "none",         "percentagesRow": false,         "rowNumbers": false,         "totalsRow": false,         "wrap": true     },     "dataSources": {},     "title": "Twilio Status",     "description": "",     "eventHandlers": [         {             "type": "drilldown.customUrl",             "options": {                 "url": "https://status.twilio.com/"             }         }     ],     "context": {},     "showProgressBar": false,     "showLastUpdated": false } ... View more

I have looked at a ton of posts about breaking a multivalued field but having zero luck effecting a solution. I have a csv file that i have imported into splunk. In one of the fields, it contains data like this: Subject Name: Country: US State/Province: Virginia Locality: Glen Allen I thought i could do field extractions to turn things like Country: into a field with the value of US, but no luck. I have looked at eval, split, regex, and mvexpand but can't seem to get the right combo/syntax to do what i want. Can someone lend me their expertise in resolving? Ideally once i break this field up into its individual pieces i want to create a dashboard that check one of them and ties it to all its records. Worry for another day if i can't break up the field. ... View more

I am trying to setup the splunk addon for tenable to pull scan reports from our nessus pro box. I have setup the addon on a heavy forwarder with the information needed but i never see anything come over. My fear in researching is that this functionality doesn't work as smoothly based on issues i have seen others have. I wondered if anyone has successfully gotten this working and how? My settings are: (please note that my heavy forwarder performs no indexing functionality, so the "nessus" index is only created on my actual indexer. Hoping this isn't the problem.) Metrics Nessus Host Scans Nessus Server URL https://nessuspro:8834 Start Date 1999/01/01 Batch Size 100000 Interval 43200 Index nessus Status Enabled ... View more

New to field extractions but hoping this is an easy one that i just can't figure out for myself. I have a syslog server sending raw logs and want to extract a new field that consists of all the data (string) between and so that i can use it in a search. So for example, if i had a raw log that said: Jan 18 10:58:38 10.0.254.51 <134>Jan 18 10:58:38 from="something@something.com" to="someone@someone.com" RE: [EXTERNAL] Files for Review#012 #012 I want to extract a field called "subject" that would consist of only "RE: [EXTERNAL] Files for Review". Of course as messages flow through, the subject will change among them, but that's the just of it. It is already identifying a From and To field so my end result I am trying to create will be a table that will consist of: "From" "To" "Subject" I tried rex field=_raw "\" : "<(?.*)>" but it did not like that. Any help is greatly appreciated! ... View more