Getting Data In

Why did Paloalto URL-Filtering Logs size started growing?

calvinmcelroy
Path Finder

Hi,

Paloalto is one of our largest log sources, and we have been ingesting many different types of pan logs for years via the Splunk_TA_paloalto add-on for Splunk. The firewalls are sending logs to a syslog server also functioning as a UF. On 04/14/22 we noticed that the pan:threat sourcetype has started to grow in volume. Its the roughly the same amount of events, but now the events are on average x2, x3, up to x5 larger in size of bytes.  I also noticed that some of the fields are receiving the wrong data. When I track this back, both issues started happening on 4/14. I have also determined that these larger logs are all coming from one HA pair, out of dozens. 

I am having a very tough time coming up with explanations for the growth, and options to fix the issue on the Splunk side. Has anyone every seen this or have any recommendations on how I may resolve the issue?

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...