How to globally apply the field extractions from t...

sbattista09 · ‎03-01-2016

I would like to globally apply the field extractions for the Palo Alto Networks App for Splunk and lock it down to its index so we do not get false positive matches when looking at data in another index. The goal is to have a dashboard listing our products metrics, however, the Palo Alto fields do not show up in the search app - they only show up in the Palo Alto app.

btorresgil · ‎03-03-2016

As kchamplin describes, the exports describe what is visible to other apps. You can change the exports in the existing app. Or, the latest Palo Alto Networks App 5.0 and Add-on export the field extractions to other apps by default. So upgrading to the latest app and addon from splunkbase will fix it.

kchamplin_splun · ‎03-01-2016

The app shouldn't be exporting any field names, it would be the TA (Splunk_TA_paloalto), and be default I believe it is set to export everything, at least on the latest version - per its default.meta file.
[]
access = read : [ * ], write : [ admin, power ]
export = system

how are you constructing your searches? most of these fields are associated with the sourcetype pan:*.

How to globally apply the field extractions from the Palo Alto Networks App for Splunk?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio