Is there something that we are supposed to be doing after installing this or is it just broken?
Here is my output during startup of splunkd
Checking conf files for problems...
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 8: outputMode (value: splunkstream).
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 14: autotimestamp (value: 1).
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 15: randomizeCount (value: 0.2).
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 16: randomizeEvents (value: 0).
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 18: sourcetype (value: pan:log).
Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 19: source (value: eventgen:pan_globalprotect.samplelog).
Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 27: outputMode (value: splunkstream).
Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 33: randomizeCount (value: 0.2).
Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 34: randomizeEvents (value: true).
Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 36: sourcetype (value: pan:log).
Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 37: source (value: eventgen:pan_incident.samplelog).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 68: outputMode (value: splunkstream).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 74: randomizeCount (value: 0.2).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 75: randomizeEvents (value: true).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 77: sourcetype (value: pan:log).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 78: source (value: eventgen:pan_endpoint.samplelog).
Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 79: autotimestamp (value: 1).
Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 88: outputMode (value: splunkstream).
Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 94: randomizeCount (value: 0.2).
Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 95: randomizeEvents (value: true).
Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 97: sourcetype (value: pan:log).
Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 98: source (value: eventgen:pan_incident_data_config.samplelog).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 119: mode (value: replay).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 120: sampletype (value: csv).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 121: timeField (value: _time).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 122: index (value: main).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 128: timeMultiple (value: 2).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 129: autotimestamp (value: 1).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 134: sourcetype (value: pan:log).
Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 135: source (value: eventgen:pan_wildfire_reports.csv).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
It's safe to delete eventgen.conf and the samples directory one level above. It's actually required when you want to install an app on an indexer cluster.
That did the trick. Also, I had someone send me this link: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters