All Apps and Add-ons

Palo Alto for splunk app - should i have to modify dashboard queries to see data

kkadak
New Member

I have installed the Palo Alto App and Addon on our searchhead and have installed the add on on 1 of our three indexers to happy path testing. I set up an inputs.conf file to send the data to the pan_logs index. With regards to dashboards under Operations, the firewall system and configuration dashboards are working well. The realtime event feed i actually had to edit the base search query to include index=pan_logs (changed 'pan_logs' to index=pan_logs) to get the FWs to show up as reporting and generate the live events. I know the timestamps are good because its (almost) realtime in the system and configuration dashboards. I guess my questions are:
- is the app expecting everything to be in the default index?
- why would i need to update the basesearch query to see data (ie. even if i search for 'pan_logs' i dont see anything, index=pan_logs i get everything)

Software versions:
-Splunk 8.0.2
-Palo Alto for Splunk App 6.2.0 (on search head)
-Palo Alto for Splunk Add on 6.2.- (on search head and indexer)

Inputs.conf from indexer:

[udp://5514]
index = pan_logs
sourcetype = pan:firewall
connection_host = ip
no_appending_timestamp = true

Any help would be greatly appreciated. We are working through the issues (but not sure it's the right approach) and just need to figure out if i need to consider templating out eventtypes.conf, etc as part of our install to account for changes up front.

0 Karma

kkadak
New Member

i should also add that Data model acceleration is enabled for the Palo Alto App in splunk.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...