Theres no data shown in the app.
Do I configure the inputs.conf at /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/local or /opt/splunk/etc/system/local ?
I'm currently taking in the logs already and sourcetype as syslog.
Here's my config for inputs.conf [udp://5555] connection_host = ip1|ip2 sourcetype = pan_log no_appending_timestamp = true
Anything I've missed?