Retrieving logs from Splunk

brian.seppanen — Mon, 17 Apr 2023 15:23:04 GMT

I was trying to see the capabilities of the log retrieval using splunk, and I can retrieve about 115 lines of data from splunk, the splunk job is finished, and there is data being transferred back and forth that can be seen with tcpump, but after a set number of lines the job just sits there, and will never complete. there is adequate disk space. I can view the job in splunk and its complete. Is this simply a wishlist idea that hasn't been fully implemented. I'd like to know that I should just give up trying. Just about to update to expedition_1.2.57.all.deb, but have been running expedition_1.2.56.all.deb, and 55 when trying to get this to work. I have the palo alto splunk add on. I have the palo alto app installed. I use it for other things

Re: Retrieving logs from Splunk

brian.seppanen — Mon, 17 Apr 2023 15:32:37 GMT

I just discovered after updating and some ssh session output logging, that this may be due to a space in the device name

PHP Warning: file(/PALogs/Primary Firewall_traffic_2023_04_14_last_calendar_day.csv)

and the 27kb file is called Primary, and is not in csv format. So I may need to recreate the device definition, because I can't seem to rename the device.

topic Re: Retrieving logs from Splunk in Expedition Discussions

Retrieving logs from Splunk

Re: Retrieving logs from Splunk