Solved: PAN App on Search Head cluster

lisaac · ‎09-11-2015

Does Splunk for PAN App work on a search head cluster ?

rphillips_splk · ‎09-15-2015

Palo Alto app versions 4.1 and later will work on SHC since the developers have moved from TSIDX to data models.
Note: the data model backfill will search raw data. Your tsidx namespaces that were originally built under earlier versions of the app(and may contain data going back further than what your raw data contains) will no longer work.

https://splunkbase.splunk.com/app/491/#/documentation

Starting in version 4.1 of this app, all of the dashboards use the Splunk 6 Datamodel feature, which allows for pivot of Palo Alto Networks data and better control and acceleration of summary indexes used by the dashboards. This replaces the TSIDX feature from Splunk 5.

If you are upgrading the app from a pre-4.1 version to 4.1 or higher, then you may delete the TSIDX files that were generated by the previous version of the app. To delete the TSIDX files, look under $SPLUNK_HOME$/var/lib/splunk/tsidxstats/ and remove any directories that start with pan_. There could be up to 10 directories.

After upgrade to 4.1 or higher, Splunk will backfill the datamodel with historic data up to 1 year old. It may take some time for historic data to show up in the dashboards, but it will be available in the pivot interface and search immediately. The time range for historic data to be available in the dashboards can be adjusted in the datamodel accelerations settings.

If you have customized the built-in dashboards of a previous app version, then they will no longer work because the customized dashboards will still use TSIDX. Remove your custom dashboards from the local directory of the app to use the new datamodel-based dashboards. You can add your customizations to the new dashboards.

View solution in original post

rphillips_splk · ‎09-15-2015

Palo Alto app versions 4.1 and later will work on SHC since the developers have moved from TSIDX to data models.
Note: the data model backfill will search raw data. Your tsidx namespaces that were originally built under earlier versions of the app(and may contain data going back further than what your raw data contains) will no longer work.

https://splunkbase.splunk.com/app/491/#/documentation

Starting in version 4.1 of this app, all of the dashboards use the Splunk 6 Datamodel feature, which allows for pivot of Palo Alto Networks data and better control and acceleration of summary indexes used by the dashboards. This replaces the TSIDX feature from Splunk 5.

If you are upgrading the app from a pre-4.1 version to 4.1 or higher, then you may delete the TSIDX files that were generated by the previous version of the app. To delete the TSIDX files, look under $SPLUNK_HOME$/var/lib/splunk/tsidxstats/ and remove any directories that start with pan_. There could be up to 10 directories.

After upgrade to 4.1 or higher, Splunk will backfill the datamodel with historic data up to 1 year old. It may take some time for historic data to show up in the dashboards, but it will be available in the pivot interface and search immediately. The time range for historic data to be available in the dashboards can be adjusted in the datamodel accelerations settings.

If you have customized the built-in dashboards of a previous app version, then they will no longer work because the customized dashboards will still use TSIDX. Remove your custom dashboards from the local directory of the app to use the new datamodel-based dashboards. You can add your customizations to the new dashboards.

PAN App on Search Head cluster

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!