I saw the other forum posts, and they are not the same Issue i am having. I have configured the PA to directly send syslog's to the Splunk server. Its a single node deployment. I installed the Addon as well as the PA dashboard app. I am using the default syslog format of BSD with no custom formats.
I created a Pan_logs Index and a UDP data input on 5514, with a sourcetype of pan:log. I have also tried other source types such as pan:firewall, pan:traffic....etc
I can do a search on the index, and it comes up with all the syslog messages. The source type is pan:traffic from most of them. config changes come in with pan:config.
The index is configured with the App of the Addon
None of the data is being parsed into the dashboard. A search of eventtype="pan_firewall" yields no results.
What am I missing? I feel like its a Splunk config i need.
To add to what I typed previously, when I search the index, it looks like the "sourcetype" is not being converted from "pan:config" to "pan_config"
all of the source types still have the ":" in them.