Splunk Enterprise Security

Issues with pan: Why is firewall_cloud parser not parsing logs from Cortex Data Lake?


We are having issues with pan:firewall_cloud parser (which came with the Palo Alto Netowrks Add-on) not parsing logs from Cortex Data Lake. We are centralizing all of our SASE Prisma and Firewall logs into the Cortex Data Lake and then streaming them from there to Splunk Cloud via the HEC. When I configure that HEC to use the Source Type of pan:firewall_cloud, which was recommended in the setup docs,  we don't get field extraction. When I use a standard _json parser it extracts all fields as expected. Is anyone else having this issue? Is there a fix? I can't use any of the Palo dashboards and there is no CIM normalization happening without that official Add-on parser working. 

Labels (1)
Tags (2)
0 Karma


It's possible the app is out-of-date with Cortex Data Lake.  The app is supported by Palo Alto so you should contact them at https://splunk.paloaltonetworks.com/support.html

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...