We're trying to deploy the SPLUNK FOR PALO ALTO app in our environment (Windows). The app seems to have loaded correctly, as well as the required resources from the apps page.
We setup the configs on the Palo Alto side and traffic appears to be hitting the Splunk environment however nothing is showing up in Splunk.
The inputs.conf file is defined as:
[udp://514] index = pan_logs connection_host = ip sourcetype = pan_log no_appending_timestamp = true disabled = 0
With the macros.conf file as:
[pan_index] definition = index=pan_logs
[pan_threat]
definition = pan_index (sourcetype="pan_threat" OR sourcetype="pan_threat-2050") NOT "THREAT,url"
[pan_threat_all]
definition = pan_index (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_traffic]
definition = pan_index sourcetype="pan_traffic"
[pan_system]
definition = pan_index sourcetype="pan_system"
[pan_config]
definition = pan_index sourcetype="pan_config"
[pan_web_activity]
definition = pan_index "THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_url]
definition = pan_index "THREAT,url" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data_filtering]
definition = pan_index "THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_data]
definition = pan_index "THREAT,data" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire]
definition = pan_index "THREAT,wildfire" (sourcetype="pan_threat" OR sourcetype="pan_threat-2050")
[pan_wildfire_report]
definition = pan_index sourcetype="pan_wildfire_report"
[tstats] definition = tstats
definition = tstats prestats=true local=tstats_local
[tstats_local] definition = false