Splunk 6.1.1 build 207789 running on Ubuntu 14.04
PAN appliance logs show successful connection to syslog server.
Using defaults on PAN syslog settings.
Logs are seen with comma delimiters in straight Splunk. However, there is nothing showing up in Splunk for Palo Alto Networks.
Guidance or advise appreciated
What is the sourcetype and index for the PAN logs? The sourcetype for the logs needs to be panlog and the index should be panlogs.
The app docs describe this in more detail: http://apps.splunk.com/app/491/
thanks, okrabbesplunk. My misunderstanding of how splunk works with the splunk for palo alto networks app has been cleared up. It is one or the other and not splunk for palo alto networks on top of splunk. had the source type set as panlog. Was using the default index though. Changing to pan_logs allowed for event support / different index.
Thanks for the pointer.
No problem! Glad you got it working. I posted the comment as an answer so please accept the answer for posterities sake 🙂