I have a V6 cluster with a Master Node, 5 Indexers, and a Search Head Pool with 3 Search Heads and 2 forwarders that receive all the data. The PAN logs come in on UDP 11112.
The simple installation instructions say
- Unpack the tar ball into $SPLUNK_HOME/etc/apps
- Restart Splunk
I figured this out so I'm just updating the steps. I'm going to run through this again to verify but I'm pretty sure I've got everything. YMMV
- Install on Master Node, restart and configure.
- Move/copy /opt/splunk/etc/apps/SplunkforPaloAltoNetworks to /opt/splunk/etc/master-apps/SplunkforPaloAltoNetworks
- Use Master Node to deploy the app to indexers.
- Install on Search Heads. Make sure it goes to the Search Head Pool NFS mount /NFS-SH/etc/apps.
- Install on forwarders so the props and translations take affect.