I recently installed Splunk (4.3.4) and the Palo Alto app (2.3) and have run into an issue I can't seem to find a solution to. The PAN is forwarding traffic over to the Splunk server just fine. If I look at the PAN Overview page, I show numbers updating in the four boxes at the top of the screen (PAN Reporting, Events, Block-URL, Top Category)however the Event Types on the right of the screen says "Waiting for Data." My inputs.conf is configured as follows: [udp://5155] index = pan_logs connection_host = ip sourcetype = pan_log no_appending_timestamp = true If I try to look at any of the dashboards I get the response "No results found. Inspect..." and I'm not sure where to go from here. My guess is I need to possibly add a data input?? but this was not listed on the install notes so my guess may be wrong. Another idea was to change the macros.conf, as it was suggested a couple times in this forum, but no luck there either. I'm running Splunk on a Windows 2008 R2 x64 server. Any help would be appreciated!
↧