Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
Describe the bug
The Base Search in network_security.xml does not contain vendor_action so subsearch fails for dns sinkholing as it requires the field.
Expected behavior
dns sinkholing panel loads
Current behavior
dns sinkholing panel fails to load as a result of field not in base search
Possible solution
Add values(log.vendor_action) as vendor_action or log.vendor_action in the by statement of the base search.
Steps to reproduce
Open the dashboard
Screenshots
Current setup
With adding vendor_action to by statement
Context
Noticed panel not working, just want to help fix it globally.
Your Environment
Palo Alto app version 8.1.0