Look for a namespace collision problem. Somewhere in your configurations that you wrote/installed before you added the Palo Alto Networks app, you may have created a Knowledge Object with the exact same lookup file name or lookup definition name and given it a "global" permission (scope). If you happened to pick the same name for yours as is being used by PAN, you may be interfering with the chain of KOs within the PAN app.
Possible name collision problem. This is also cause if you are using automatic lookup in which user(s) do not have permission to the csv lookup file. Either upload/ generate a new csv lookup, remove automatic lookup, or change to the permission on the csv to everyone read.
I cannot see this being the problem because in this case, all of the configuration files in question are pre-packaged in the Palo Alto Networks app, unless some idiot modified permissions after the app was installed.
Are you running that search outside of the palo alto app? If so, do you get the same results if you run it inside the palo alto app? I'm wondering if maybe the lookups aren't shared globally?
Of course maybe make sure the lookups are actually there too, Settings -> Lookups -> Lookup definitions. Then choose the "Splunk for Palo Alto" app in the dropdown.