All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After upgrade to Splunk 6.2.1, why are fields no longer extracted from Palo Alto logs when searching using the Search App?

hlarimer
Communicator
‎01-19-2015 06:22 AM

I recently updated to Splunk Enterprise 6.2.1 and have noticed that my Palo Alto logs are no longer extracting fields when searching inside the Search app. When I go to the Palo Alto App and use sideview search, then the fields are extracted correctly.

Is this intended or is there a setting to change to extract fields in both locations?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hlarimer
Communicator
‎01-19-2015 10:40 AM

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

View solution in original post

Reply
Solved! Jump to solution
Solution

hlarimer
Communicator
‎01-19-2015 10:40 AM

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

Reply
Solved! Jump to solution

hlarimer
Communicator
‎01-19-2015 11:11 AM

This was caused because I created a whole new app for Palo Alto and migrated my local folders but I forgot to move the local.meta file as well, which had these setting along with permission settings for the application. Self inflicted but I hope this thread helps someone!

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top