I can use TCPDUMP and see that logs are being sent to the correct port. I can use ngrep to see the data in the packets being received. They are in the right IETF format. I can see the events coming in via the Splunk metrics logs. But no logs are getting to Splunk.
I'm using the 6.0.2 add-on
Inputs.conf
[udp://12002]
index = firewall-logs
disabled = false
sourcetype = pan:log
connection_host = ip
no_appending_timestamp = true
What metrics log show the events coming in? Metrics on forwarder, or metrics on indexer? Or do you have a single instance setup?
Have you tried searching over 'all time' in case there is some issue with the timestamp/timezone recognition?
What is your indication that they aren't being ingested? Are you not seeing a dashboard populate? Are you running a search and not able to find the data?