It looks like the actual firewall host name is appended toward the end of the raw log, so I created a transforms.conf in my SplunkforPaloAltoNetworks/local directory with the following: [extract_threat] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","misc","threat_name","category","severity","direction","sequence_number","action_flags","src_location","dst_location","future_use4","content_type","pcap_id","file_digest","cloud_address","url_index","user_agent","filetype","xff","referrer","sender","subject","recipient","report_id","future_use3","future_use4","future_use5","future_use1","future_use1","dvc" [extract_traffic] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","generated_time","src_ip","dst_ip","nat_src_ip","nat_dst_ip","rule_name","src_user","dst_user","application","virtual_system","src_zone","dst_zone","ingress_interface","egress_interface","log_forwarding_profile","future_use3","session_id","repeat_count","src_port","dst_port","nat_src_port","nat_dst_port","flags","protocol","action","bytes","bytes_sent","bytes_received","packets","start_time","elapsed_time","category","future_use4","sequence_number","action_flags","src_location","dst_location","future_use5","packets_sent","packets_received","session_end_reason","future_use3","future_use4","future_use5","future_use6","future_use7","dvc" [extract_config] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","admin_ip","virtual_system","command","admin","admin_type","result","configuration_path","before_change","after_change","sequence_number","action_flags","future_use3","future_use4","future_use5","future_use6","future_use7","dvc" [extract_system] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","type","log_subtype","future_use2","future_use3","virtual_system","event_id","object","future_use4","future_use5","module","severity","description","sequence_number","action_flags","future_use3","future_use4","future_use5","future_use6","future_use7","dvc" This assigned the firewall host name to the dvc field. I then also disabled the Field Alias for dvc so that value would not be overridden by the value of the host field. I was not sure how to disable a field alias, so I just commented out those lines in the default/props.conf file ... View more

I found you can also edit the SplunkforPaloAltoNetwork/metadata/local.meta file and add these three stanzas: [props] export=system [transforms] export=system [lookups] export=system I'm guessing that because the default.meta has those specific entries, even though sharing the configurations through the GUI adds a global stanza [], it is not overriding those specific stanzas in the default.meta file. ... View more