I would like to globally apply the field extractions for the Palo Alto Networks App for Splunk and lock it down to its index so we do not get false positive matches when looking at data in another index. The goal is to have a dashboard listing our products metrics, however, the Palo Alto fields do not show up in the search app - they only show up in the Palo Alto app.
As kchamplin describes, the exports describe what is visible to other apps. You can change the exports in the existing app. Or, the latest Palo Alto Networks App 5.0 and Add-on export the field extractions to other apps by default. So upgrading to the latest app and addon from splunkbase will fix it.
The app shouldn't be exporting any field names, it would be the TA (Splunk_TA_paloalto), and be default I believe it is set to export everything, at least on the latest version - per its default.meta file.
[]
access = read : [ * ], write : [ admin, power ]
export = system
how are you constructing your searches? most of these fields are associated with the sourcetype pan:*.