unconfigured/disabled/deleted index=pan_logs

Ric0 · ‎10-01-2020

I am running Splunk on Windows Server 2016. I attempted to send Palo Alto logs to Splunk but received the following error, "unconfigured/disabled/deleted index=pan_logs with source = source = udp:515 host = host = x.x.x.x

I edited the .conf file a number of times and restarted Splunk. I am following the instructions for the Palo Alto app, add-on, and configurations posted under Splunk Documentation. I believe that I need to re-configure or add an additional indexer, but I am not sure exactly where.

Thank you

richgalloway · ‎10-01-2020

The error message is saying an expected index has not been configured. Create the "pan_logs" index on each of your indexers using the method appropriate for your environment.

---
If this reply helps you, Karma would be appreciated.

Ric0 · ‎10-05-2020

I only have one Indexer, and I created the pan_logs index. I rebooted my Splunk server. When I check the Palo Alto app, I still do not receive any data.

Do I need to reboot the Palo Alto deivce?

I have Splunk installed on one server that is my Forwarder and Indexer. I also edited the Index.conf file under $Splunk_Home/etc/apps/local/Palo Alto and then rebooted the server.

unconfigured/disabled/deleted index=pan_logs

Windows

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting