We've recently started to change our splunk topology from a single search head / indexer, to search head and remote peer indexers.
The PAN splunk app will stay installed on the search head, however now with the traffic going to the indexers, all traffic is indexed as pan_log, however I recall a transforms.conf file that was setup in the application that would use some regex values to split up the traffic / threat / system traffic into different sourcetypes (?).
How is the PAN app supposed to work in this type of topology? Do I need to install the app on each of the indexers and have the transforms.conf copied over from the search head (original install point)?