We're trying to deploy the SPLUNK FOR PALO ALTO app in our environment (Windows). The app seems to have loaded correctly, as well as the required resources from the apps page.
We setup the configs on the Palo Alto side and traffic appears to be hitting the Splunk environment however nothing is showing up in Splunk.
The inputs.conf file is defined as:
[udp://514]
index = pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
disabled = 0
With the macros.conf file as:
[pan_index]
definition = index=pan_logs
[pan_threat]
definition = pan_index
(sourcetype="pan_threat" OR sourcetype="pan_threat-2050") NOT "THREAT,url"
[pan_threat_all]
definition = pan_index
(sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_traffic]
definition = pan_index
sourcetype="pan_traffic"
[pan_system]
definition = pan_index
sourcetype="pan_system"
[pan_config]
definition = pan_index
sourcetype="pan_config"
[pan_web_activity]
definition = pan_index
"THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_url]
definition = pan_index
"THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data_filtering]
definition = pan_index
"THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data]
definition = pan_index
"THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire]
definition = pan_index
"THREAT,wildfire" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire_report]
definition = pan_index
sourcetype="pan_wildfire_report"
[tstats]
definition = tstats
tstats_local
[tstats_local]
definition = false
Hi rheed. Here are a few things to check...
First, click 'Search' in the menu bar, set the time range to "All time", and use one of the available macros, like...
`pan_index`
Just for clarity, those are back-ticks surrounding the macro, not apostrophes. You should get at least one event to come up with this search.
If you see events here, verify they are in a format where each field is separated by a comma. If the fields are separated by spaces or any other character, you probably have a custom format set in your firewall syslog settings. Remove it to restore the default syslog format.
If you did not see events in the search, try these troubleshooting steps...
no_appending_timestamp = true
from inputs.conf.Let me know if any of these helps solve the issue. Thanks!