Base Macros

Morfoot · ‎11-11-2011

I can see data being collected from my Palo Alto Devices (4 of them), but when I switch over to the Palo Alto App there is no data. Tried adding this into 2 locations:

connection_host = IP Address
sourcetype = pan_log
no_appending_timestamp = true

under the file "inputs.conf" (located at \SplunkforPaloAltoNetworks\local and \Splunk\etc\system\local and \Splunk\etc\system\default) with no results.

Anyone know the answer?

sC0rP1u5 · ‎05-11-2012

I might be a little late for an answer but I just came across this issue today because we just started setting up our PAs.

My solution was to modify the macros.conf file located here $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.

The portion of the conf file I modified are below:

Base Macros

[pan_threat]
definition = index=indexname sourcetype="pan_threat" NOT "THREAT,url"

[pan_traffic]
definition = index=indexname sourcetype="pan_traffic"

[pan_system]
definition = index=indexname sourcetype="pan_system"

[pan_config]
definition = index=indexname sourcetype="pan_config"

[pan_web_activity]
definition = index=indexname sourcetype="pan_threat" "THREAT,url"

You'll notice that in your macros.conf file you won't have the index specified.

Hopefully this helps or at least helps others that come across this issue in the future.

rmangram · ‎06-10-2015

I tried this out and I am not getting data, do you know know if there are any other suggestions?

gskorski · ‎03-01-2012

I have the same issue. How did you solved it?

No Data in Palo Alto App

Base Macros

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life