I recently installed the Splunk App for Palo Alto on our indexers and search heads and setup a syslog feed to one of our indexers from our Palo Alto. Using the app on that indexer worked perfectly. When I switched to our search heads no data was being populated in the app, however, the index was still accessible from search. After doing some research I found that a change to the data model was necessary.
In the SplunkAppForPaloAlto data model the “pan_index” constraint must be changed to index=pan_logs. (Note the removal of quotes). They also recommended disabling acceleration for this data model while making the change.
After making this change the Palo Alto app began to work correctly on the search heads.
