All Apps and Add-ons

After upgrade to Splunk 6.2.1, why are fields no longer extracted from Palo Alto logs when searching using the Search App?

Communicator

I recently updated to Splunk Enterprise 6.2.1 and have noticed that my Palo Alto logs are no longer extracting fields when searching inside the Search app. When I go to the Palo Alto App and use sideview search, then the fields are extracted correctly.

Is this intended or is there a setting to change to extract fields in both locations?

0 Karma
1 Solution

Communicator

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

View solution in original post

Communicator

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

View solution in original post

Communicator

This was caused because I created a whole new app for Palo Alto and migrated my local folders but I forgot to move the local.meta file as well, which had these setting along with permission settings for the application. Self inflicted but I hope this thread helps someone!