Hi All

Hoping someone can help me, I am trying to get the Palo Alto App working we are a Splunk cloud customer and have this app on our search-head 

When I search for eventype=pan I see the logs but they are NOT reclassified

Our set up is we have our Palo Alto firewalls pushing to a syslog server on standard port 514, this data at the moment is currently being ingested as one syslog stream via universal forwarder, where the sourcetype=syslog and index=syslog. 

In inputs.conf in

/opt/splunk/etc/system/local I have configured the below

 [monitor:///data/rsyslog/10.0.0.1/10.0.0.1.log]

index = pan_logs

sourcetype = pan:log

host_segment = 3

The guide states to configure your TCP outputs in 

/ opt/splunkforwarder/etc/system/local/outputs.conf in this file we have 

[tcpout]

indexAndForward = 1

As a cloud customer we have our company app in root@syslog:/opt/splunk/etc/apps/OUR_COMPANY_APP/default

The outputs.conf has but no input file 

= inputs1.name.splunkcloud.com:9997, 

inputs2.name.splunkcloud.com:9997,

 inputs3.name.splunkcloud.com:9997,

 inputs4.name.splunkcloud.com:9997, 

inputs5.name.splunkcloud.com:9997, 

inputs6.name.splunkcloud.com:9997, 

The input file being used is

oot@syslog:/opt/splunk/etc/apps/search/local

The PaloAlto app states to add your indexers to Create or modify/opt/splunkforwader/etc/system/local/outputs.conf 

and add a tcpout stanza: 

Could I copy over the outputs from root@syslog:/opt/splunk/etc/apps/OUR_COMPANY_APP/default to /opt/splunkforwader/etc/system/local/outputs.conf