All Apps and Add-ons

All Sub Dashboards are blank - why?

reswob4
Builder

I am not receiving any information on any of the subdashboards. The Overview dashboard (seems to) works just fine.

For example, the Threat Dashboard is blank. Putting in a source IP still draws a blank even though a search of "* sourcetype=pan_threat x.x.x.x| table _time,threat_name, severity" within the app gets results.

Clicking on one of the dashboards give the following search:

| tstats count FROM node(log.threat) groupby(_time log.log_subtype) | timechart values(count) by log_subtype

But that returns nothing. Looking at the definitions of the macros shows:

tstats => tstats summariesonly=t and searching those terms doesn't return anything. And how does a macro refer to itself?

node(1) => datamodel="pan_firewall" WHERE nodename="$nodename$" and searching for datamodel="pan_firewall" doesn't return anything either.

At this point I figured I'd ask on the forums rather than individually troubleshoot each term/macro/search to find out if there is an overall fix or what.

It seems that most of the dashboards rely on the 'tstats' macro, but that macro doesn't seem to work anywhere.

Suggestions?

reswob4
Builder

Here's an update. Currently, this is partially working. To be clear, the Palo Alto was sending the logs to indexerA and I was using the SH (I only have one) to view the events. Both the indexer and the SH have the PA app installed. Initially, the dashboards were not working on either indexerA or the SH. Then, during troubleshooting on IndexerA, the Threat dashboard and the Traffic dashboard started showing events, but not the Content dashboard. On the SH, still nothing. After some further back and forth with PA tech support, I had to move on.

So consider this thread closed for now.

0 Karma

reswob4
Builder

Logs are being parsed correctly.

Here's what I have for acceleration. I have three Data Models, all are enabled for Data Acceleration and all are set for one year

When you look at the details, here's what I have:

Palo Alto Networks Endpoint Logs
MODEL

Objects
5 Events Edit
Permissions
Shared in App. Owned by nobody. Edit

ACCELERATION
Rebuild Update Edit

Status
100.00% Completed
Access Count
0. Last Access: 1969-12-31T19:00:00-05:00
Size on Disk
1.20MB
Summary Range
31536000
Buckets
49
Updated
2015-09-04T11:21:34-04:00

Palo Alto Networks Firewall Logs
This datamodel represents all the syslogs produced by Palo Alto Networks Next-generation Firewalls and Panorama. The datamodel is structured such that all logs are part of the first root event object so the entire datamodel is accelerated.
MODEL

Objects
16 Events Edit
Permissions
Shared in App. Owned by nobody. Edit

ACCELERATION
Rebuild Update Edit

Status
100.00% Completed
Access Count
165. Last Access: 2015-09-04T09:30:29-04:00
Size on Disk
3898.07MB
Summary Range
31536000
Buckets
49
Updated
2015-09-04T11:21:22-04:00

(we are not using Wildfire)

So acceleration is enabled, the build is at 100%.

are there any other steps I'm missing?

0 Karma

reswob4
Builder

We are on the latest version.
I already went through those tips.
I checked and the data model is being accelerated.

0 Karma

btorresgil
Builder

Hello,

The tstats macro refers to the tstats command, not the macro itself. There is nothing wrong with the macro configuration.

The dashboards use the tstats command to pull data from an accelerated data model. If there is no data showing up in the dashboard, then the data is most likely not being accelerated by the datamodel. Make sure you are on the latest version of the app, and that the datamodels that come with the app are accelerated.

Here is a troubleshooting guide to help you figure out what the dashboards are not populating:
https://live.paloaltonetworks.com/t5/Articles/How-to-Configure-Splunk-for-Palo-Alto-Networks/ta-p/54...

(see Troublshooting Steps near the bottom of that page)

0 Karma

abeeber_splunk
Splunk Employee
Splunk Employee

I downvoted this post because helpful, but the end result indicated no ultimate solution.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...