Merge branch 'hotfix/v4.1.2'

.gitignore

@@ -17,3 +17,6 @@ local/*
 
 # Git repositories folder
 git-repositories/
+
+# PyCharm/IntelliJ meta-directory
+.idea

README.md

@@ -11,8 +11,8 @@ Networks Firewall
 #### Latest Version ####
 
 * Splunk Version: 6.x
-* App Version: 4.1.1
-* Last Modified: May 2014
+* App Version: 4.1.2
+* Last Modified: Sep 2014
 * Authors:
     * Monzy Merza - Splunk, Inc.
     * Brian Torres-Gil - Palo Alto Networks
@@ -95,6 +95,14 @@ If you have customized the built-in dashboards of a previous app version, then t
 
 If upgrading from 3.x, please read the __Upgrade Notes__ above.
 
+Version 4.1.2
+
+- Fix some Threat dashboard drilldowns 
+- Fix scope of CIM fields to remove conflict with some apps
+- Remove macros from datamodel that were causing slower acceleration
+
+Note: changes to datamodel may require the acceleration to be rebuilt before data will show up in the dashboards
+
 Version 4.1.1
 
 - Handle new fields in latest PAN-OS syslogs and WildFire reports

default/app.conf

@@ -3,13 +3,13 @@ is_visible = true
 label = Splunk for Palo Alto Networks
 
 [launcher]
-author= [email protected]
-description= The Splunk for Palo Alto Networks app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Palo Alto Networks Firewall data. 
-version = 4.1.1
+author = [email protected]
+description = The Splunk for Palo Alto Networks app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Palo Alto Networks Firewall data.
+version = 4.1.2
 
 [package]
-id= SplunkforPaloAltoNetworks
+id = SplunkforPaloAltoNetworks
 
 [install]
-build= 1200
+build = 1200
 

default/data/models/pan_logs.json

@@ -2177,7 +2177,7 @@
             "calculations": [],
             "constraints": [
                 {
-                    "search": "`pan_index`",
+                    "search": "index=\"pan_logs\"",
                     "owner": "log"
                 }
             ],

default/data/ui/views/threat_detail.xml

@@ -7,7 +7,7 @@
         <latestTime>now</latestTime>
       </default>
     </input>
-    <input type="text" token="threat">
+    <input type="text" token="threat_name">
       <label>Threat</label>
       <default/>
       <prefix>log.threat_name="</prefix>
@@ -19,7 +19,7 @@
       <prefix>log.user="</prefix>
       <suffix>"</suffix>
     </input>
-    <input type="text" token="application">
+    <input type="text" token="app">
       <label>Application</label>
       <default/>
       <prefix>log.app="</prefix>
@@ -33,7 +33,7 @@
     </input>
   </fieldset>
   <searchTemplate>| `tstats` values(sourcetype) as sourcetype values(log.threat_name) as threat_name sum(log.bytes) as bytes sum(log.elapsed_time) as duration
-        FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR nodename="log.threat") $threat$ $user$ $application$ $location$
+        FROM datamodel="pan_logs" WHERE (nodename="log.traffic" OR (nodename="log.threat" $threat_name$)) $user$ $app$ $location$
         `groupby(log.session_id log.user log.server_ip log.application log.server_location)`
         | search sourcetype="pan_threat" bytes!="" server_location!="" user!="" | eval KB=bytes/1024</searchTemplate>
   <earliestTime>$earliest$</earliestTime>
@@ -73,8 +73,7 @@
     </chart>
     <chart>
       <title>Users by Kilobytes</title>
-      <searchPostProcess>| stats sum(KB) as "Transferred (KB)" by user
-        | rename user AS User | sort -"Transferred (KB)"</searchPostProcess>
+      <searchPostProcess>| stats sum(KB) as "Transferred (KB)" by user | sort -"Transferred (KB)"</searchPostProcess>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -93,7 +92,7 @@
       <drilldown>
         <link>
           <![CDATA[
-            /app/SplunkforPaloAltoNetworks/threat_detail?form.user=$click.value$
+            /app/SplunkforPaloAltoNetworks/threat_detail?form.$click.name$=$click.value$
 	  ]]>
         </link>
       </drilldown>

default/data/ui/views/threat_overview.xml

@@ -53,7 +53,7 @@
   <row>
     <chart>
       <title>Threat Subtypes</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby _time log.log_subtype | timechart values(count) by log.log_subtype</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(_time log.log_subtype)` | timechart values(count) by log_subtype</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">collapsed</option>
@@ -79,7 +79,7 @@
     </chart>
     <chart>
       <title>Severity</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby _time log.severity | timechart values(count) by log.severity</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(_time log.severity)` | timechart values(count) by severity</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">collapsed</option>
@@ -107,7 +107,7 @@
   <row>
     <chart>
       <title>Threats</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.threat_name</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.threat_name)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -126,14 +126,14 @@
       <drilldown>
         <link>
           <![CDATA[
-            /app/SplunkforPaloAltoNetworks/threat_detail?form.threat=$click.value$&earliest=$earliest$&latest=$latest$
+            /app/SplunkforPaloAltoNetworks/threat_detail?form.$click.name$=$click.value$&earliest=$earliest$&latest=$latest$
 	  ]]>
         </link>
       </drilldown>
     </chart>
     <chart>
       <title>Threats by App</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.app</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.app)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -159,7 +159,7 @@
     </chart>
     <chart>
       <title>Threats by User</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.user</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.user)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -178,7 +178,7 @@
       <drilldown>
         <link>
           <![CDATA[
-            /app/SplunkforPaloAltoNetworks/threat_detail?form.user=$click.value$&earliest=$earliest$&latest=$latest$
+            /app/SplunkforPaloAltoNetworks/threat_detail?form.$click.name$=$click.value$&earliest=$earliest$&latest=$latest$
 	  ]]>
         </link>
       </drilldown>
@@ -187,7 +187,7 @@
   <row>
     <chart>
       <title>Source IP</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.src_ip</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.src_ip)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -213,7 +213,7 @@
     </chart>
     <chart>
       <title>Threats by Severity</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.severity</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.severity)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>
@@ -239,7 +239,7 @@
     </chart>
     <chart>
       <title>Destination IP</title>
-      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ groupby log.dst_ip</searchString>
+      <searchString>| `tstats` count FROM `node(log.threat)` $src_ip$ $dst_ip$ $log_subtype$ $threat_name$ $vsys$ $app$ `groupby(log.dst_ip)`</searchString>
       <earliestTime>$earliest$</earliestTime>
       <latestTime>$latest$</latestTime>
       <option name="charting.axisTitleX.visibility">visible</option>

metadata/default.meta

@@ -26,4 +26,4 @@ export = system
 export = none
 
 [lookups]
-export = system
+export = none