I followed the Palo Alto Add-on instructions and installed the TA on the receiving HF and my distributed non-clustered indexers.
I am noticing hundreds of parsed and extracted fields that are meaningless, i.e. fields created based on the parsing of a uri... It seems something is telling splunk to parse the logs on commas and equal signs for example.
Has anyone else experienced this? Does anyone know how to fix this issue? I am using the 6.2.0 version of the TA. I also put the app and TA on the SH but that causes a useful field "src" to disappear. After disabling it the src field returned.
It seems like the add-on is mis-configured, but need some advice on how to t-shoot this.
"fields created based on the parsing of a uri" can be an effect of KV_MODE=auto which is enabled by default and applied at search-time.
Most of Palo Alto sourcetypes (except pan:aperture) don't use kv mode extraction, so you can try to disable it.
Which particular sourcetype you have problem with? pan:traffic?
As I understand it, the Palo Alto logs are very configurable. Work with your PA admin to ensure the TA is parsing what PA is sending.