Retrieving logs from Splunk

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Retrieving logs from Splunk

L1 Bithead

I was trying to see the capabilities of the log retrieval using splunk, and I can retrieve about 115 lines of data from splunk, the splunk job is finished, and there is data being transferred back and forth that can be seen with tcpump, but after a set number of lines the job just sits there, and will never complete.   there is adequate disk space.   I can view the job in splunk and its complete.    Is this simply a wishlist idea that hasn't been fully implemented.    I'd like to know that I should just give up trying.      Just about to update to expedition_1.2.57.all.deb, but have been running expedition_1.2.56.all.deb, and 55 when trying to get this to work.   I have the palo alto splunk add on.   I have the palo alto app installed.   I use it for other things

1 accepted solution

Accepted Solutions

L1 Bithead

I just discovered after updating and some ssh session output logging, that this may be due to a space in the device name

 

PHP Warning: file(/PALogs/Primary Firewall_traffic_2023_04_14_last_calendar_day.csv)

and the 27kb file is called Primary, and is not in csv format.    So I may need to recreate the device definition, because I can't seem to rename the device.

View solution in original post

1 REPLY 1

L1 Bithead

I just discovered after updating and some ssh session output logging, that this may be due to a space in the device name

 

PHP Warning: file(/PALogs/Primary Firewall_traffic_2023_04_14_last_calendar_day.csv)

and the 27kb file is called Primary, and is not in csv format.    So I may need to recreate the device definition, because I can't seem to rename the device.

  • 1 accepted solution
  • 1465 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!