Hello Team,
I try to setup the Wildfire API Report download.
Prerequesists are met, so API Key is setup, and we get Wildfire Logs through syslog.
While debugging I notice the following safedsearch is triggered:
search = pan_wildfire
verdict="malicious" | panwildfirereport | table wildfire_report | rename wildfire_report AS _raw | collect index=main sourcetype=pan:wildfire_report
I see two issues, pan_wildfire alias seems not to work without an index, and the script stores the result in the main index, which should be empty.
I am wondering if anybody get this working?
Python.log is shows no entries.
Kind regards
Are you using the add-on to collect the logs and the apps?
https://splunkbase.splunk.com/app/491/
https://splunkbase.splunk.com/app/2757/
I have used the add-on and used another index to receive traffic and threat feeds from PaloAlto IPS