Hi,
I follow the instruction to set up the data input config in inputs.conf of Forwarder server and install the Palo Alto Apps in Indexer server.
I found the Indexer can receive the log successfully but it cannot extract field from log. The search inspector show the follow message in Traffic dashboard: None | tstats sum(bytes_sent) AS sumSent sum(bytes_received) AS sumReceived FROM pan_traffic where log_subtype=end groupby _time span=5m | timechart span=5m values("sumReceived") AS "Bytes Received" values("sumSent") AS "Bytes Sent"
It seems the problem caused by props.conf and transforms.conf is not applied.
Do you know any additional config is required if deploy on Forwarder and Indexer environment?
Thanks