Hi adonio,
We have installed PAN app 5.2 because TA 3.6.1 is already on our indexer. When PAN app was installed it started building the PAN firewalls logs datamodel.

our environment is

2xSplunk Indexer and then two search heads for Splunk Core and another two search heads for Splunk ES.
As noted we had TA 3.6.1 on the indexers
Splunk Core already had PAN app 5.2
I want to be able to use pantag on Splunk ES, so our options were to upgrade indexers and Splunk Core to 3.7.1/5.3.1 or just install PAN app 5.2 on the ES search head. My admin prefers the later.

The problem is that the PAN firewalls data model is going to eat 100GB+ and while it builds other datamodels are suffering. These are two seperate problems:

-We have not planned for the extra 100GB+ of datamodel
-my Network_Traffic datamodel (part of ES) based searches are not working correctly.

If this is a limitation, it will be a real shame since pantag has the potential to be a huge step up in our security posture.

the PAN data models: Palo Alto Networks Endpoint Logs, Palo Alto Networks Firewall Logs, and Palo Alto Networks WildFire Malware Reports are defined in the Palo Alto App (not the TA)
install the TA on all your instances. DO NOT install the app on the ES search head. for the reasons you mentioned above.
docs specificly tells that ES has to be installed by itself. read here more: http://docs.splunk.com/Documentation/ES/4.7.0/Install/DeploymentPlanning

Unfortunately, we tried the PAN App 5.2 first. Did not realize that this messes with the Splunk ES datamodels until much later. Found this answer describing it:

https://answers.splunk.com/answers/337816/why-does-a-tstats-search-for-an-accelerated-data-m.html

We disabled the PAN firewall data model acceleration but I think that the PAN data modeling is still messing with Splunk ES datamodels