I upgraded Splunk on my indexers from splunk-6.3.0 to splunk-6.3.2, and am now able to see the following sourcetypes:
pan:traffic
pan:log
pan:threat
pan:system
pan:config
Since I have no plans to revert my version of Splunk, this is not repeatable.
Incidentally, my index is still pan_logs, and my next step is to place my entries in my UF's inputs.conf vs. the add-ons.
Posting in case someone else experiences a similar issue.
UPDATE:
My indexers are in a multi-site indexer cluster. Today, I installed another non-PA related indexer add-on, and upon a rolling restart, my Palo Alto app again began to experience the same issues I had thought were resolved with the Splunk upgrade.
In retrospect the upgrade didn't make any sense, I poured through the errtata data for the upgrades, and nothing closely resembling my issues seemed to fit.
After looking at logs, I decided to install the PA add-on onto my deployment server, then push my apps once more to my indexers; followed by several rolling restarts, an app ta add-on, removal, etc, etc, and voila, I am sure my issues are with the indexer cluster being unable to install the add-on from the PA app. They installed one time, then later removed them; this deserves a closer look.
Regards,
-mi
... View more