Running Splunk on RHEL x64 with the latest version of the Palo Alto app. On the over view screen I can see 1 pan reporting and events showing up nothing in the block-url and N/A on the top category everything else is blank. When i do a search for index I only get "pan_logs" and the only source type is "pan_log"
My inputs.conf is as follows:
index= pan_logs
connection_host= ip
sourcetype= pan_log
#no_appending_timestamp = true
If i do
no_appending_timestamp = true
nothing will show up on the overview paged everything is 0.
My macros.conf hasn't been changed
Any help would be nice.