I recently updated to Splunk Enterprise 6.2.1 and have noticed that my Palo Alto logs are no longer extracting fields when searching inside the Search app. When I go to the Palo Alto App and use sideview search, then the fields are extracted correctly.
Is this intended or is there a setting to change to extract fields in both locations?
I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?
I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?
This was caused because I created a whole new app for Palo Alto and migrated my local folders but I forgot to move the local.meta file as well, which had these setting along with permission settings for the application. Self inflicted but I hope this thread helps someone!