The Splunk App for Palo Alto does not seem to be doing distributed searching. I have an indexer/search head in 3 different regions and when I do a search using the search app on each search head for index=pan_logs I get 50+ hosts but when I use the Splunk PA app on each search head in each region I get much smaller numbers of host, sometimes as few as 1 in the region with only a few Palo Altos indexing to that regional indexer.
I know the Pan Reporting number will vary based on traffic since its a real time search but when comparing the results from the 3 search heads at the same time I'm getting very different numbers.
