I recently installed the Splunk App for Palo Alto on our indexers and search heads and setup a syslog feed to one of our indexers from our Palo Alto. Using the app on that indexer worked perfectly. When I switched to our search heads no data was being populated in the app, however, the index was still accessible from search. After doing some research I found that a change to the data model was necessary.
In the SplunkAppForPaloAlto data model the “pan_index” constraint must be changed to index=pan_logs. (Note the removal of quotes). They also recommended disabling acceleration for this data model while making the change. Continue reading Using Splunk to Monitor Palo Alto Firewalls