We have been using Splunk for PaloAlto for a a few years now and recently upgraded to the latest version. Since upgrading most of the application appears to have stopped working. After reading the readme, I have a number of questions:
Can someone post a link to the Splunk for AMMAP maps application. We only have Google maps installed and would be happy to stay with that, but we are not sure if this is why no data is being displayed and want to try adding that application before we start tinkering with other parts of the system.
We noticed that in the read me it calls for creating a different index for Palo Alto. We never did that and have over 2 billion entries already in our index. Since that wasn't required for operation in the past, are we going to have to do that now? All of our logs are in main. We identify PAN_LOGS by pushing logs from the PaloAlto to a dedicated port that marks the log Source Type. From what I can see, the app now requires the index to be named PAN_LOGS. Can we reconfigure the application to use main so we don't need to figure out how to move 2 billion plus existing logs?
While writting this we have found some information about inputs.conf that we are going to try to figure out. If we are headed in the wrong direction, we would appreciate a point to the right way to fix this.
... View more