the solution is to disable the timestamp processor: http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/TuneTimestampExtractionForBetterIndexingPerformance#Disable_timestamp_processor "Splunk does not look at the text of the event for the timestamp. Instead, it uses the event's "time of receipt" ... View more

1) based on my testing, it does have to run under the admin account or a user in the admin role. based on your question, i created another splunk question to get help: http://splunk-base.splunk.com/answers/75013/minimum-permissions-required-for-using-http-simple-receiver 2) seems to be the case. although, to be clear, this is not necessarily tied to the FireEye app but to anything that attempts to use the http simple receiver, REST endpoint. 3) you don't need anything in inputs.conf. the http post specifies the input and the neccesary parameters. 4) in your scenario, fireeye is sending the data to the forwarder. so the user/passwd you use in the fireeye config must have the appropriate permissions in the forwarder. ... View more

The ammap app is here: http://splunk-base.splunk.com/apps/22372/splunk-for-use-with-ammap-flash-maps Your views arent working because of the index name being different. You can edit $SPLUNK_HOME/etc/apps/SplunkForPaloAloNetworks/local/macros.conf. Create a stanza [pan_index] definition = index=main Restart Splunk. This will fix all views except for the main landing page (pan_overview_switcher_maps) . It is generally a god idea to keep indexes separated but not necessary. To fix the main dashboard, go to manager, user interface, views, and edit the pan_overview_switcher_maps view. Replace wherever it says index=pan_logs with 'pan_index' (enclosed in back tick not a single quote). Cheers, Monzy ... View more

adding to the summary indexing discussion: please take a look at this post: http://splunk-base.splunk.com/answers/5837/summary-indexing-on-a-search-head . also, if you plan on using multiple indexers, i would discourage the use of summary indexes for now. admittedly, the summary indexing use is not the best in this app. the summaries are of a high dimensionality, which results in a low summarized to raw data ratio. ultimately, the summaries will become very large. i am working on a better strategy for this. 'pan_threat' host="pa*" : i was unable to recreate this issue. this search works ok on a newly installed splunk instance with a fresh install of the app. the reason for : This - index="pan_logs" pan_threat | bin _time span=5m | fillnull vsys app category src_ip dst_ip severity RISK threat_id CATEGORY | stats count by vsys app threat_id severity category src_ip dst_ip log_subtype CATEGORY RISK _time works because the pan_logs index is not in the default search path of the user running the search. i appreciate your feedback. i have added several things to my to do list for the next version of the app. happy to talk to you in person about some of this. ... View more

it is possible that another app is conflicting with the Palo Alto app (or vice versa). can you please disable other apps and see if the condition still exists. ... View more