I installed the Splunk for Palo Alto Networks app. I am getting data and my index and source types are correct. When I do searches, all the PA fields are getting extracted.
However, I only the Overview dashboard works; it displays real-time information.
The other dashboards and sub-dashboards under Traffic, Threat, Content and System all say "Search is waiting for input..." and the drop downs all say "Search produced no results."
We are using a cluster so the app in installed on the heavy forwarder that receives the logs and a search head that can search all of our indexers.
EDIT: Just realized that the heavy forwarder is still running v6.0.3. Maybe that's the issue. Upgrading tonight to find out.