I am having two issues when searching PaloAlto events.
When I first added PaloAlto events, all the fields had descriptors:
src_ip= 50.0.0.1 dst_ip=10.0.0.1 app=facebook_social_plugin
Now it just clumps all the information together:
50.0.0.1 10.0.0.1 facebook_social_plugin
I'm not sure if I changed something, or if that's on the PaloAlto side of things, but if it's something Splunk related, how can I get the field descriptors to show again?
The other issue I'm having is that, even when it does show the field descriptors, the information is all clumped together and a pain to sift through.
I like the way when I started pulling from a database it allowed me to choose how I wanted the information to be formatted. So I would selected, "Multi-line key-value format" and it would look like:
src_ip=50.0.0.1
dst_ip=10.0.0.1
app=facebook_plugin_social
Is there anyway to do this for PaloAlto events?