All Apps and Add-ons

Splunk for Palo Alto Networks: How does the configuration of the app change with an Indexer Cluster?

New Member

I have an indexer cluster (4) members and I am wondering how getting data from our 3 PAN devices. I have the app installed on our clustered search heads, but I am also wondering if we will need the app on the indexers as well. Ideally, I would like to have each of the devices load-balance their data to the indexers (like a forwarder does), but I do not know if this is possible. Any advice would be of great help!

0 Karma

Splunk Employee
Splunk Employee

You might find this helpful:

https://live.paloaltonetworks.com/docs/DOC-9683
it is an addendum to the original and references clustered indexers.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

SplunkTrust
SplunkTrust

The documentation Palo Alto provides is not a best practice for collecting syslogs. There is a great discussion on this at : http://www.georgestarcher.com/splunk-success-with-syslog/. Start there, it will help scale your collection of syslogs.

This App doesn't specifically mention any configurations for Indexer Clusters or Search Clusters. I'd throw it everywhere just to make sure all configs are where they need to be.

0 Karma

Builder

Have you gotten this sorted out?

0 Karma