Resolution: The initial setup described in my opening post is correct, but the Lambda script needs to contain the following: 1) Correct VPC 2) Correct Subnet 3) Correct Security Group 4) Correct Role Without these, the Lambda script will not be able to access a non-default VPC, and the Lambda script will continuously timeout (the error I was originally receiving). Also, this can be done with an AWS Kinesis stream, though I have not set this up myself: https://www.splunk.com/blog/2018/02/22/serving-it-up-with-aws-and-splunk-aws-serverless-application-repository-now-available.html This Kinesis Stream resolution may be required moving forward if Splunk does not update their blue-print for the AWS Lambda script. As of April 30, 2019, node.js v6.10 will be EOL in AWS and therefore the blueprint will be unavailable after this point. Finally, the GuardDuty Add-on for Splunk should be installed to correctly parse the data that is ingested into Splunk. Feel free to reach out if any questions on this. ... View more

Hi muralikoppula, All Palo Alto datamodels have been accelerated already. Thanks. ... View more

Yes, I've just confirmed this looking at the inputs.conf file. I've also confirmed that Splunk is successfully parsing this data into the correct subtypes (e.g. pan:firewall) based on searches performed in the Search & Reporting app. ... View more

Hello harsmarvania57, I've been unable to get traffic directly from Panorama to the Splunk Indexer. I've pointed the Panorama syslogs back to the syslog server, and the Indexer is now receiving traffic. I am back to troubleshooting the fact that the Realtime Event Feed displays data, but no other Dashboard does. I've read through the recommendations at https://splunk.paloaltonetworks.com/troubleshoot.html, and verified the following: -Datamodel is fully built. All Palo Alto datamodels are at 100%. -Acceleration is enabled. Any further ideas? ... View more

Quick update: As we've been discussing this, Panorama has been sending the syslog information to a syslog server, and that syslog server has a forwarder on it sending the traffic to the Splunk Indexer. I've removed this configuration and created a new configuration forwarding logs directly from Panorama to the Splunk Indexer. After doing this, the Real-Time feed in the app is no longer displaying information, and I cannot search for new data in the Search & Reporting App. This tells me that there must be something wrong with the new configuration. I'd like to correct this configuration before moving forward, as this is a fresh configuration that I'll be familiar with. I'm hopeful that once I can get data to be ingested properly with this configuration, data will be displayed on the remaining dashboards. I will take some time to do this then provide an update here. Thank you for your help so far! ... View more

Still no luck unfortunately. Only the real-time dashboard is displaying data. ... View more

Okay, thank you. I will wait a few more minutes to see if the dashboards generate results. A related question -- on the Palo Alto Network Add-on on the Indexer under the Configuration tab...what account are they asking for? ... View more

Looking under Operations -> Realtime Event Feed, I am actually seeing new data being fed in. Just no other dashboard appears to be working. I did enable Datamodel Acceleration. ... View more

And I would do this on the Search Head not the Indexer? ... View more

They are not accelerated. What would enabling this within the context of the Palo Alto app do? ... View more

Hi harsmarvania57, I see various Palo Alto Networks Logs, but no indication of status. They seem to be built out though with various sourcetypes defined. Size on disk is several TB with a small percentage being used. Diskspace should be no issue. If the Search & Reporting app is able to find the logs from the Panorama, shouldn't the App be able to? Or is there a separate configuration page for the App for it to find the data? ... View more

Unfortunately I'm not able to get any of the Dashboards to display data -- Web Activity, User Behavior, etc. Again, despite being able to see the raw data in the Search & Reporting App. ... View more

Hi harsmarvania57, thanks for the reply. I was able to get traffic from Panorama into the Splunk Indexer (I see traffic using the Search & Reporting App), but the data still isn't appearing in the Palo Alto Networks App. Any idea why? ... View more

Thank you, kchamplin! ... View more