Issues getting sourcetype=pan:* to produce data in query. #293
Comments
|
🎉 Thanks for opening your first issue here! Welcome to the community! |
|
Hello, The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too. Where to install
|
|
Is this also the case for a Single Instance Splunk Environment? Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head? |
|
Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment. |
|
@paulmnguyen Single-instance deployments Distributed deployments In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions: Data input tier |
|
@paulmnguyen What could be the issue? |
|
Try running a search fro pan:* but set the time to "All Time" |
Describe the bug
I am currently troubleshooting the Palo Alto Add-on in my Splunk Instance.
https://splunkbase.splunk.com/app/2757
I am having the issue of having it populate logs against my palo alto appliances in my environment whenever I query my network index and sourcetype=pan:firewall
Expected behavior
I would expect data to populate tailored to the sourcetype of "pan:firewall" or "pan:*"
Current behavior
Currently, the add-on is installed only on the search heads.
The PAN-OS appliances are sending syslog data to the syslog forwarder(s).
My Splunk environment is considered a Distrusted Instance Deployment.
The palo alto log data comes from a syslog forwarder over UDP/514.
Possible solution
Does the add-on also need to be installed on the indexer AND forwarder(s)?
Other configurations to take into account?
Screenshots
Query
Sourcetype Menu
pan:firewall view
The text was updated successfully, but these errors were encountered: