Palo Alto App's dashboards not showing any data (A...

ssharma09 · ‎08-19-2020

I can't see any dashboard showing numbers (data) in Palo Alto App.

- App version 6.1.1 & TA version 6.1.1

- Splunk version 7.2.9

- Data is being ingested from Syslog > UF to Splunk Cloud.

- Data can be searched at Splunk from sourcetypes: pan:traffic, pan:system, pan:threat

- Data model : pan_firewall is accelerated and built 100%. (there was no data in other datamodels so I disabled the acceleration on them)

one of the search query from dashboard : Network Security

| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity

*I'm wondering the field nodename (not found in the datamodel), is being used in many other panels' search query which might be causing the issue. If so, how to fix that?

Please advise.

Thanks

richgalloway · ‎08-20-2020

The Palo Alto app makes extensive use of accelerated datamodels. By turning off accelerations you have disabled some panels.

The nodename keyword identifies a child within the datamodel rather than a field.

---
If this reply helps you, Karma would be appreciated.

ssharma09 · ‎08-20-2020

Hi Richgalloway,

Thanks for your reply.

Nothing happens when I enabled the acceleration of all the datamodels and they build 100%.

thanks,

richgalloway · ‎08-21-2020

What do you mean by "nothing happens"? Apparently, something happens if the DMAs are successful.
Do the datamodels have data? No panel will work if there is no data to display. Are the DMs looking in the right indexes?

---
If this reply helps you, Karma would be appreciated.

ssharma09 · ‎08-23-2020

I'm concern about the dashboards which are using DM pan_firewalland it is100% bild and has data in it but still those dashboards are not showing any data.

richgalloway · ‎08-24-2020

You may need to debug the dashboard queries. Pick one and copy it into a search window. Delete everything after the first pipe (|) and run the search and verify the results. If it works then add the next pipe and repeat the process until you get no results. The last pipe added likely will be the cause of the problem. Perhaps you don't have a field or value the search expects.
Once you've identified the problem, correct the search to work in your environment.

---
If this reply helps you, Karma would be appreciated.

ssharma09 · ‎08-25-2020

I picked the search

WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name | rename log.* AS * | stats sum(count) AS count by threat_name threat_category severity

and remove every thing after first pipe : result > no data

then, I just ran : | tstats summariesonly=t count FROM datamodel="pan_firewall"

it showed me data.

richgalloway · ‎08-25-2020

The tstats command you ran was partial, but still helpful. It shows there is data in the accelerated datamodel.

Next, please run the complete tstats command

| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name

If that returns no results then I suspect your data is missing one or more of the severity, threat_category, or threat_name fields.

---
If this reply helps you, Karma would be appreciated.

BrendanCO · ‎09-10-2020

I'm in the exact same boat, guys. I put in just:

| tstats summariesonly=t count FROM datamodel="pan_firewall"

And I get data. When I put in:

| tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.correlation" GROUPBY log.severity log.threat_category log.threat_name

I get nothing. I tried adding each argument in from the beginning and it immediately fails at the nodename designation.

Thoughts?

Palo Alto App's dashboards not showing any data (App version 6.1.1, TA version 6.1.1, Splunk version 7.2.9).

configuration

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes