I recently installed Splunk (4.3.4) and the Palo Alto app (2.3) and have run into an issue I can't seem to find a solution to. The PAN is forwarding traffic over to the Splunk server just fine. If I look at the PAN Overview page, I show numbers updating in the four boxes at the top of the screen (PAN Reporting, Events, Block-URL, Top Category)however the Event Types on the right of the screen says "Waiting for Data." My inputs.conf is configured as follows:
[udp://5155]
index = pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
If I try to look at any of the dashboards I get the response "No results found. Inspect..." and I'm not sure where to go from here. My guess is I need to possibly add a data input?? but this was not listed on the install notes so my guess may be wrong. Another idea was to change the macros.conf, as it was suggested a couple times in this forum, but no luck there either. I'm running Splunk on a Windows 2008 R2 x64 server. Any help would be appreciated!
Check to see that the index named pan_logs is in the default search path of your user. You can verify this by going to : Manager -> Access Controls -> Roles -> Admin (or some other user) -> Indexes searched by default, select the pan_logs index so it appears in the Selected indexes.
Check to see that the index named pan_logs is in the default search path of your user. You can verify this by going to : Manager -> Access Controls -> Roles -> Admin (or some other user) -> Indexes searched by default, select the pan_logs index so it appears in the Selected indexes.
Atleast in the TA-paloalto (which I believe this app uses now) the sourcetypes are forced by reference of the "pan" sourcetype. You have set yours to "pan_log" manually. Needs to be the same in inputs.conf and here in props.conf
[pan]
TRANSFORMS-force_sourcetype_for_pan = force_sourcetype_for_pan_traffic,force_sourcetype_for_pan_threat,force_sourcetype_pan_config
Does anyone else have any ideas on possible solutions?
Would you happen to have examples I could reference for the inputs.conf and props.conf files? The readme referenced the pan_log sourcetype and if I make any other changes I will exceed my limited knowledge of this product!