Hi Splunk folks,

My team is seeing a pesky issue with Palo Alto logs where a small subset are not being sourcetyped into pan:traffic/threat, etc. As the pan:log is the default, we have a few logs that keep this sourcetype. We have attempted to regex and nullQueue out the remainder of the pan:log logs, but no success. When we implement this TRANSFORMS/Props.conf entry, we place it at the end as we understood the order followed a left to right priority.

Example of a log that is being sourcetyped as "pan:log", and we would want to drop. It seems as if this is fragmented from Syslog, but nonetheless, junk to us.

000-1823048e98,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-11-10T10:04:03.905+00:00,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",,dns,no,no,0

Palo Alto props.conf:

[pan_log]
pulldown_type = false
SHOULD_LINEMERGE = false
TIME_PREFIX = ^(?:[^,]*,){5}
MAX_TIMESTAMP_LOOKAHEAD = 100
TRANSFORMS-sourcetype = pan_threat, pan_traffic, pan_system, pan_config, pan_hipmatch, pan_correlation, pan_userid, pan_globalprotect, pan_decryption

We added a new nullQueue entry into the transforms.conf and then inserted the pan_discard after the last entry in the transforms above.

[pan_discard]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Any suggestions?