Splunk for Palo Alto Networks: How does the config...

iacobeaj · ‎04-20-2015

I have an indexer cluster (4) members and I am wondering how getting data from our 3 PAN devices. I have the app installed on our clustered search heads, but I am also wondering if we will need the app on the indexers as well. Ideally, I would like to have each of the devices load-balance their data to the indexers (like a forwarder does), but I do not know if this is possible. Any advice would be of great help!

rsennett_splunk · ‎08-10-2015

You might find this helpful:

https://live.paloaltonetworks.com/docs/DOC-9683
it is an addendum to the original and references clustered indexers.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

alacercogitatus · ‎07-03-2015

The documentation Palo Alto provides is not a best practice for collecting syslogs. There is a great discussion on this at : http://www.georgestarcher.com/splunk-success-with-syslog/. Start there, it will help scale your collection of syslogs.

This App doesn't specifically mention any configurations for Indexer Clusters or Search Clusters. I'd throw it everywhere just to make sure all configs are where they need to be.

dflodstrom · ‎07-02-2015

Have you gotten this sorted out?

Splunk for Palo Alto Networks: How does the configuration of the app change with an Indexer Cluster?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life