Thanks you so much or the information, I was able to get data to my Splunk, but now I can not get the app to work, I do not show that I have a sourcetype as pan_log, I am getting data to my index called Pan_logs, I am using the 4.x inputs.conf as I am not on 5.x so this inputs file I do have on my universal forwarder as follows:
[udp://5514]
connection_host = ip
index = pan_logs
sourcetype = pan_log
no_appending_timestamp = true
disabled = 0
I have this configuration under each of my three indexers, I put it in the app under the local folder and also under the addon under the local folder.
Could use a little help here as well! again thank you for all your help.
... View more