I can see data being collected from my Palo Alto Devices (4 of them), but when I switch over to the Palo Alto App there is no data. Tried adding this into 2 locations:
connection_host = IP Address
sourcetype = pan_log
no_appending_timestamp = true
under the file "inputs.conf" (located at \SplunkforPaloAltoNetworks\local and \Splunk\etc\system\local and \Splunk\etc\system\default) with no results.
Anyone know the answer?
I might be a little late for an answer but I just came across this issue today because we just started setting up our PAs.
My solution was to modify the macros.conf file located here $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.
The portion of the conf file I modified are below:
[pan_threat]
definition = index=indexname sourcetype="pan_threat" NOT "THREAT,url"
[pan_traffic]
definition = index=indexname sourcetype="pan_traffic"
[pan_system]
definition = index=indexname sourcetype="pan_system"
[pan_config]
definition = index=indexname sourcetype="pan_config"
[pan_web_activity]
definition = index=indexname sourcetype="pan_threat" "THREAT,url"
You'll notice that in your macros.conf file you won't have the index specified.
Hopefully this helps or at least helps others that come across this issue in the future.
I tried this out and I am not getting data, do you know know if there are any other suggestions?
I have the same issue. How did you solved it?