All Apps and Add-ons

Palo Alto for splunk app - should i have to modify dashboard queries to see data

kkadak
New Member

I have installed the Palo Alto App and Addon on our searchhead and have installed the add on on 1 of our three indexers to happy path testing. I set up an inputs.conf file to send the data to the pan_logs index. With regards to dashboards under Operations, the firewall system and configuration dashboards are working well. The realtime event feed i actually had to edit the base search query to include index=pan_logs (changed 'pan_logs' to index=pan_logs) to get the FWs to show up as reporting and generate the live events. I know the timestamps are good because its (almost) realtime in the system and configuration dashboards. I guess my questions are:
- is the app expecting everything to be in the default index?
- why would i need to update the basesearch query to see data (ie. even if i search for 'pan_logs' i dont see anything, index=pan_logs i get everything)

Software versions:
-Splunk 8.0.2
-Palo Alto for Splunk App 6.2.0 (on search head)
-Palo Alto for Splunk Add on 6.2.- (on search head and indexer)

Inputs.conf from indexer:

[udp://5514]
index = pan_logs
sourcetype = pan:firewall
connection_host = ip
no_appending_timestamp = true

Any help would be greatly appreciated. We are working through the issues (but not sure it's the right approach) and just need to figure out if i need to consider templating out eventtypes.conf, etc as part of our install to account for changes up front.

0 Karma

kkadak
New Member

i should also add that Data model acceleration is enabled for the Palo Alto App in splunk.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...