First you need to fix all of the queries that were imported as part of the application install. It is possible I am doing this the hard way, so maybe someone can give us ideas on how to clean up.
While in the SRX application (web browser) select Settings All Configurations
For each SRX Traffic savedsearch in the list, edit the query by replacing the 'srx_traffic' with sourcetype=srx_traffic
For each SRX Threat savedsearch in the list, edit the query by replacing the 'srx_threat' with sourcetype=srx_threat
The next step needs to be completed on the splunk server (console session for linux systems).
Locate the splunk directory. For us it was /opt/splunk/
Navigate to the following subfolder etc/apps/SplunkforJuniperSRX/default
edit macros.conf
Replace every instance of 'srx_traffic' with sourcetype=srx_traffic
Replace every instance of 'srx_threat' with sourcetype=srx_threat
Replace every instance of action!=CREATE with NOT (action=CREATE)
After completing these changes you should have a working traffic dashboard, but your threat dashboard may remain blank. I will address that issue in a follow on message.
... View more