We have the latest version of Splunk for PaloAlto (upgraded a week or two ago) on a Linux system. We are are trying to repair a lot of our dashboards, which have never worked. Originally Splunk was configured to use the main index and we believe that the person who initially set it up tried to get everything working with the main database and failed. Now we have reconfigured so that all PaloAlto data is sent to the pan_log index.
The PAN Overview dashboard works fine. I believe all of the links work as well. The Traffic dashboard does not display any data. The threat dashboard and the system dashboard under console also do not work. The content dashboard appears to be OK. There are other areas that are not working, but I figured I would try to start out with a small list. All of the dashboards that are not working appear to use the search index = summary DataCube = system prefix in the search which I click inspect.
Not really sure how the summary table gets populated so we can fix this, or if that even makes sense that this would be the issue. Any ideas on where I should start on this?