Base Macros

Morfoot · ‎11-11-2011

I can see data being collected from my Palo Alto Devices (4 of them), but when I switch over to the Palo Alto App there is no data. Tried adding this into 2 locations:

connection_host = IP Address
sourcetype = pan_log
no_appending_timestamp = true

under the file "inputs.conf" (located at \SplunkforPaloAltoNetworks\local and \Splunk\etc\system\local and \Splunk\etc\system\default) with no results.

Anyone know the answer?

sC0rP1u5 · ‎05-11-2012

I might be a little late for an answer but I just came across this issue today because we just started setting up our PAs.

My solution was to modify the macros.conf file located here $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/default/macros.conf.

The portion of the conf file I modified are below:

Base Macros

[pan_threat]
definition = index=indexname sourcetype="pan_threat" NOT "THREAT,url"

[pan_traffic]
definition = index=indexname sourcetype="pan_traffic"

[pan_system]
definition = index=indexname sourcetype="pan_system"

[pan_config]
definition = index=indexname sourcetype="pan_config"

[pan_web_activity]
definition = index=indexname sourcetype="pan_threat" "THREAT,url"

You'll notice that in your macros.conf file you won't have the index specified.

Hopefully this helps or at least helps others that come across this issue in the future.

rmangram · ‎06-10-2015

I tried this out and I am not getting data, do you know know if there are any other suggestions?

gskorski · ‎03-01-2012

I have the same issue. How did you solved it?

No Data in Palo Alto App

Base Macros

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio