I have installed the Palo Alto App and Addon on our searchhead and have installed the add on on 1 of our three indexers to happy path testing. I set up an inputs.conf file to send the data to the pan_logs index. With regards to dashboards under Operations, the firewall system and configuration dashboards are working well. The realtime event feed i actually had to edit the base search query to include index=pan_logs (changed 'pan_logs' to index=pan_logs) to get the FWs to show up as reporting and generate the live events. I know the timestamps are good because its (almost) realtime in the system and configuration dashboards. I guess my questions are:
- is the app expecting everything to be in the default index?
- why would i need to update the basesearch query to see data (ie. even if i search for 'pan_logs' i dont see anything, index=pan_logs i get everything)
Software versions:
-Splunk 8.0.2
-Palo Alto for Splunk App 6.2.0 (on search head)
-Palo Alto for Splunk Add on 6.2.- (on search head and indexer)
Inputs.conf from indexer:
[udp://5514]
index = pan_logs
sourcetype = pan:firewall
connection_host = ip
no_appending_timestamp = true
Any help would be greatly appreciated. We are working through the issues (but not sure it's the right approach) and just need to figure out if i need to consider templating out eventtypes.conf, etc as part of our install to account for changes up front.
i should also add that Data model acceleration is enabled for the Palo Alto App in splunk.