Base Macros

also just a side note, really the only place I see the palo alto transforms data is under the app directory itself under default on the search head, no where else do I see it's transform data.

ah ya know i think you just called it.. checking my indexers none of the transforms.conf's under etc/system/local have anything for ## INDEX-TIME TRANSFORMS (like 1 stanza for another app) So since it needs to process the transforms at index time (forgive me im a noob) can I just insert the transforms from the conf file thats in my app directory on the search head into the #index-time transforms segment on the local transforms file on all my indexers (along with the appropriate props updates as well)? Talk about feeling dumb I've been looking at the search head this whole time.

1. No. But sourcetype must be set to pan_log. 2. No. The props/transforms are happening pre-indexing. Given the architecture described, you should ignore any reference to opening a port on a Splunk instance via inputs.conf. You've already got a functioning input (although the host_segment is of questionable value.) If the forwarder is a UF, and props/transforms from the PAN app are living happily on the Splunk Indexer(s) and the PAN app is installed on the Search Head, this should all flow well. I suspect missing props/transforms on the indexers, or inability to search the syslog index in app.

cont:
It is being tagged as the correct sourcetpye by the inputs.conf on the syslog server before it comes over, and it comes over in that stream with the index="syslog"

I guess what my question should be is, 1) does it need to be taged as index="pan_logs" for transforms to function, or 2) can I just point the app to look in the "syslog" index where all the data is and pull out it's sourcetpype for 'pan_log' to get transforms to start happening?

Thanks, yes so far I haven't edited or created any inputs.conf under the app directory, be it default or local, just on our forwarder on the syslog server. All the data is being captured though as it's specified on the inputs.conf on the syslog server that is forwarding the syslogs of a multitude of systems the pa just being another one of those, it just happens that the data isnt transforming. -comment continued . .

You shouldn't be editing anything in the default folder. Anything you want to modify should be in the local folder. I believe stanza/section's in local supersede anything in default. Here is what my inputs.conf in /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local

[udp://514]

connection_host = ip

sourcetype = pan_log

index = pan_logs

no_appending_timestamp = true

A follow up:

Well it appears that all the data coming in under 'pan_log' I can now manually search against, if i specify index= sourcetype=pan_log my assumption is that its not properly transforming to say .. pan_threat or pan_system etc.
transforms.conf and props.conf appear to be fine, I dont have an inputs conf under the dafault folder however and my local folder inputs.conf is empty.. does anyone have a good example of a proper inputs.conf for this app?

thanks

I should have noted that our syslog server is load balancing out to 6 indexers.