ignoreOlderThan = 30d

amksa · ‎11-20-2019

Hello Folks,

Please I am having an issue where my PA app is not showing events and I am able to run searches and find some results :

Background : I have moved all the VMs where we have our Splunk servers to different VLAN.
After we did that our PA app is not parsing the data anymore.
1-for example : eventtype=pan this working properly and I can see the logs. the issue is that most of the logs are TRAFFIC logs. Looked for THREAT for example nothing.
2-We updated to the latest app and we can setup the sourcetype= pan:log
our input file :
[monitor:///apps/splunk_logs/panw/E*/panw.log]
sourcetype = pan:log
index = pan_logs
host_segment = 4

ignoreOlderThan = 30d

disabled = false

We can see the sourcetype pan:log in the search results but not the others such as pan:threats, pan:config and so forth.
2-for the inputs file we have a deployment app that we're using and we have it as above.
3-I tried installing the app and the add-on locally and I have created /local/inputs.conf and added same info as above and still nothing is showing.

Please Advise?

Thanks!

BrendanCO · ‎03-13-2020

Can you please expound on that update? What does "adding TA" mean?

amksa · ‎03-06-2020

I have fixed this issue by adding the TA to the HF and indexers all of the ones I have and it worked.

amksa · ‎11-20-2019

To be more specific, I did run another search : index=pan_logs "vulnerability" and I was able to find THREAT logs as needed. note sure what is missing.

Palo Alto app Dashboard not showing any data.

ignoreOlderThan = 30d

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services