Good to hear that the pan_logs index requirement is gone.
Please clarify - since the logs can go into any index I specify, how does the app know where to look? Is it just by eventtype?
Yes, the logs are retrieved by eventtype. Of course, the logs have to be in an index that is searchable by the user.
Incidentally, this allows you to hide certain events from some users by restricting their access to an index with sensitive events.
Does the sourcetype need to be pan_logs ?
In App versions before 5.0.0, the sourcetype in the inputs.conf has to be pan_log. App version 5.0.0 and higher, the sourcetype is changed to pan:log to conform with new Splunk standards, but pan_log still works fine. The props and transforms will parse any logs with sourcetype pan:log (or pan_log) into one of the more specific sourcetypes (pan:traffic, pan:threat, etc.). So when the logs are indexed they will have sourcetype of pan:traffic, pan:threat, etc, and not sourcetype pan:log.
Just to clarify - the index isn't specified as part of the config in any way, the app just uses the eventtype - correct?
Correct, the index is not specified anywhere in the app, starting with app version 5.0.0. Only the eventtype is used.