@harsmarvania57,

Thank you for your response.

I was in assumption that Field Extractions will work if we install the Add-On in Heavy Forwarder itself. Since we have done for Cisco -Asa Add-on that is we have installed the Add-on in the Heavy Forwarder post which the fields were automatically extracted in Splunk Cloud.

So what is the necessity to install the Add-on on search head as well? Kindly let us know.

I have already submitted a case to support to install the Add-on on our Splunk Cloud Search head as well but really want to know why it is mandate to install in Search head as well.

Have a look at https://splunk.paloaltonetworks.com/installation.html#where-to-install , you can see where Add-on installation require.

Additionally if you look at props.conf in Palo Alto Add-on then you can see below config, in below config REPORT-search, FIELDALIAS-*, LOOKUP-* those work on Search Head.

[pan:traffic]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^(?:[^,]*,){6}
MAX_TIMESTAMP_LOOKAHEAD = 32

REPORT-search = extract_traffic

FIELDALIAS-app                       = app as application
FIELDALIAS-virtual_system            = vsys as virtual_system
# Field Aliases to map specific fields to the Splunk Common Information Model - Network Traffic
EVAL-vendor_action                   = action
LOOKUP-vendor_action                 = pan_vendor_action_lookup vendor_action OUTPUT action
# bytes, bytes_in, bytes_out
FIELDALIAS-dest_for_pan_traffic      = dest_ip as dest
FIELDALIAS-dvc_for_pan_traffic       = host as dvc
FIELDALIAS-protocol_for_pan_traffic  = protocol as vendor_protocol
FIELDALIAS-src_for_pan_traffic       = src_ip as src

Thank you for the valuable information. Let me get the Add-on and App installed in the Search head as well. And will update you of how it works.

Post installing the Add-on in Search Head the Field extractions are happening as expected. Thanks

@anandhalagarasan16021988 , After installing Add-on in SH, Do we have to configure the settings in GUI? or simply installing Add-on will work?

I just installed add-on on SH(havent configured) still its not parsing as expected.

We have installed the Add-On in two places .

1) Heavy Forwarder
2)Search Head

The logs are received in our Heavy Forwarder so field extractions will happen during indexing time.

And then we have installed the Add-On in Search head to do a search time field extractions.

Kindly note we have just installed the Add-on in both the places and we didn't performed any configuration.

During ingestion have you renamed the sourcetype as pan:log so that the logs would be segregated into three sourcetypes.

pan:traffic
pan:threat
pan:system

Then post installing the Add-ON then automatically field extractions would happen .

@anandhalagarasan16021988 Yes, I got the segregated sourcetypes. But my logs looks like below :

"< 14 >"Feb 17 14:19:33 xx.xx.xx.xx 1,2020/02/17 14:19:33,016401000908,TRAFFIC,end,2304,2020/02/17 14:19:33,35.xx.xx.xx.xx,xx.xx.xx.xx0.0.0.0,0.0.0.0,INET-GUEST-ACCESS,,,non-syn-tcp,vsys1,INTERNET,INTERNET,ae2,ae2,LOG_FWD_PROF_1,2020/02/17 14:19:33,727602,1,443,24892,0,0,0xc,tcp,allow,66,66,0,1,2020/02/17 14:18:01,0,any,0,20697326448,0x0,,0,1,0,aged-out,0,0,0,0,,FWRY94-WIFI-F1-02,from-policy,,,0,,0,,N/A,0,0,0,0,50f6973a-da2e-435d-8ba9-40c9ee826cd7,0--"

I cannot paste the screenshot here. At the beginning of the log, before Feb its showing "< 14 >".

Also, I cannot see src_ip, dst_ip etc.

This is how the log file looks when it has been segregated into three sourcetypes.

But in my logs i can able to see the src_ip and dest_ip fields.

So kindly help on the request.