Merge branch 'hotfix/v4.1.3'

README.md

@@ -11,8 +11,8 @@ Networks Firewall
 #### Latest Version ####
 
 * Splunk Version: 6.x
-* App Version: 4.1.2
-* Last Modified: Sep 2014
+* App Version: 4.1.3
+* Last Modified: Oct 2014
 * Authors:
     * Monzy Merza - Splunk, Inc.
     * Brian Torres-Gil - Palo Alto Networks
@@ -95,6 +95,12 @@ If you have customized the built-in dashboards of a previous app version, then t
 
 If upgrading from 3.x, please read the __Upgrade Notes__ above.
 
+Version 4.1.3
+
+- Special commands (panblock, panupdate, pantag) now available from other apps
+- Fix issue with unknown lookup errors during search
+- Fix issue with meta scope and global namespace
+
 Version 4.1.2
 
 - Fix some Threat dashboard drilldowns 

default/app.conf

@@ -5,7 +5,7 @@ label = Splunk for Palo Alto Networks
 [launcher]
 author = [email protected]
 description = The Splunk for Palo Alto Networks app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Palo Alto Networks Firewall data.
-version = 4.1.2
+version = 4.1.3
 
 [package]
 id = SplunkforPaloAltoNetworks

default/commands.conf

@@ -10,15 +10,10 @@ passauth = true
 filename = panoramaUserUpdate.py
 passauth = true
 
-[args]
-filename = args.py
-supports_rawargs = true
-passauth = true
-
-[wildfirereport]
+[pan_wildfirereport]
 filename = retrieveWildFireReport.py
 passauth = true
 
-[newapps]
+[pan_newapps]
 filename = retrieveNewApps.py
 passauth = true

default/eventtypes.conf

@@ -22,8 +22,5 @@ search = sourcetype=pan_traffic
 search = sourcetype=pan_system
 #tags = os
 
-[pan_test]
-search = sourcetype=pan_traffic
-
 [pan_newapps]
 search = sourcetype=pan_newapps

default/props.conf

@@ -1,5 +1,3 @@
-LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
-
 [pan_log]
 TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config
 SHOULD_LINEMERGE = false
@@ -8,6 +6,7 @@ pulldown_type = true
 
 [pan_threat]
 REPORT-search = extract_threat, extract_threat_id, extract_dst_hostname, extract_major_content_type, extract_filename
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 SHOULD_LINEMERGE = false
 lookup_table = threat_lookup threat_id
 lookup_table = app_lookup app
@@ -31,6 +30,7 @@ EVAL-client_location = if(isnull(direction) OR direction="client-to-server", src
 
 [pan_traffic]
 REPORT-search = extract_traffic
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 SHOULD_LINEMERGE = false
 lookup_table = app_lookup app
 lookup_src_class = classification_lookup cidr AS src_ip OUTPUT classification AS src_class
@@ -51,6 +51,7 @@ EVAL-client_location = if(isnull(direction) OR direction="client-to-server", src
 
 [pan_system]
 REPORT-search = extract_system
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 SHOULD_LINEMERGE = false
 FIELDALIAS-pan_system = "serial_number" AS "serial" "type" AS "log_type" "subtype" AS "log_subtype" "Virtual System" AS "vsys" 
 # Field Aliases to map palo alto fields to the Splunk Common Information Model
@@ -60,6 +61,7 @@ FIELDALIAS-dest_for_pan_system = host as dest_ip, host as dest
 
 [pan_config]
 REPORT-search = extract_config
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 SHOULD_LINEMERGE = false
 FIELDALIAS_config = "virtual_system" AS "vsys" "command" AS "cmd" "configuration_path" AS "path"
 # Field Aliases to map palo alto fields to the Splunk Common Information Model
@@ -71,6 +73,7 @@ EVAL-log_subtype = "config"
 
 [pan_wildfire_report]
 REPORT-search = extract_wildfire_report
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 KV_MODE = xml
 LINE_BREAKER = ((?!))
 SHOULD_LINEMERGE = false
@@ -84,12 +87,14 @@ EVAL-tcp_ip_port = mvzip(tcp_ip,tcp_port)
 EVAL-udp_ip_port = mvzip(udp_ip,udp_port)
 
 [pan_newapps]
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 KV_MODE = xml
 LINE_BREAKER = ((?!))
 SHOULD_LINEMERGE = false
 TRUNCATE = 0
 
 [flowintegrator]
+LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup sourcetype OUTPUT vendor,product
 SHOULD_LINEMERGE = False
 
 FIELDALIAS-fi_module = nfc_id AS fi_module

default/savedsearches.conf

@@ -10,7 +10,7 @@ displayview = flashtimeline
 enableSched = 1
 realtime_schedule = 0
 request.ui_dispatch_view = flashtimeline
-search = `pan_wildfire` | wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
+search = `pan_wildfire` | pan_wildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=pan_logs sourcetype=pan_wildfire_report
 disabled = 0
 
 ########################
@@ -27,5 +27,5 @@ displayview = flashtimeline
 enableSched = 1
 realtime_schedule = 0
 request.ui_dispatch_view = flashtimeline
-search = index=pan_logs sourcetype=pan_newapps | table app{@name} | newapps | collect index=pan_logs sourcetype=pan_newapps
+search = index=pan_logs sourcetype=pan_newapps | table app{@name} | pan_newapps | collect index=pan_logs sourcetype=pan_newapps
 disabled = 0

lookups/pan_vendor_info.csv

@@ -3,3 +3,5 @@ pan_config,PaloAlto,Firewall,
 pan_system,PaloAlto,Firewall,
 pan_threat,PaloAlto,Firewall,network
 pan_traffic,PaloAlto,Firewall,
+pan_wildfire_report,PaloAlto,Firewall,
+pan_newapps,PaloAlto,Firewall

metadata/default.meta

@@ -1,5 +1,3 @@
-# TODO: should these only exported to app instead of system?
-
 # Application-level permissions
 
 []
@@ -10,20 +8,23 @@ access = read : [ * ], write : [ admin, power ]
 [eventtypes]
 export = system
 
-
 ### PROPS
 
 [props]
-export = system
-
+export = none
 
 ### TRANSFORMS
 
 [transforms]
-export = system
-
-[savedsearches]
 export = none
 
 [lookups]
 export = none
+
+## OTHER
+
+[savedsearches]
+export = none
+
+[commands]
+export = system