All Apps and Add-ons

Splunk for Palo Alto - Config - Different Index name than default

mflippin
New Member

I've installed the Splunk for Palo Alto app and while attempting to configure it found this reference.
"In the inputs.conf file, add the following configuration. For UDP syslogs, make sure to include the line no_appending_timestamp = true.
[udp://5514]
index = pan_logs
sourcetype = pan_log
connection_host = ip
no_appending_timestamp = true"

The issue is my Palo logs are already in Splunk with the following (multiple source types).
Index=paloalto
sourcetype=pan_traffic
sourcetype=pan_threat
sourcetype=pan_system
sourcetype=pan_config

How do I change the app to meet my current configuration. I guess I'm a bit lost on what exactly to do. I've tried to modify the XML but it doesn't seem to work.

Thanks,
M

0 Karma

btorresgil
Builder

Unfortunately the answer from scruse won't work completely because the macros and datamodel in the app all refer to the pan_logs index. You can use scruse's answer for the index if you also do a find/replace of all references to the pan_logs index in the app. Many customers do this when they want to rename the index from pan_logs to something else.

Another option is to rename the index to pan_logs. Renaming an index in Splunk is non-trivial and I believe it requires actually creating a new index called pan_logs and moving the data over to it. Google or Splunk support can provide more guidance.

Regarding the sourcetype, you don't need to modify anything there. The sourcetype from the inputs.conf (pan_logs) is just a placeholder sourcetype. Splunk actually parses the logs of this sourcetype in order to move the log to the correct final sourcetype (pan_traffic, pan_threat, pan_config, pan_system). So just use pan_log as the sourcetype in inputs.conf, and it will automatically take care of parsing and moving the events to the other sourcetypes.

0 Karma

scruse
Path Finder

Within the apps inputs.conf, you can specify the changes to the index and sourcetype to match your current environment needs.

using the network input you provided as an example

[udp://5514]
index = pan_logs
sourcetype = pan_log
connection_host = ip
no_appending_timestamp = true

you could do

[udp://5514]
index = paloalto
sourcetype = pan_<whichever sourcetype you want to put it in>
connection_host = ip
no_appending_timestamp = true

scruse
Path Finder

If this has answered your question, please consider marking this question as answered. Thank You.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...