Comments (7)
paulmnguyen
commented on September 22, 2024
1
Hello,
The add-on should be installed everywhere except for Universal Forwarders. If you are using a Heavy forwarder then it needs to be installed there too.
Where to install
| Splunk Node | What to install |
|---|---|
| Search Head | Add-on and App |
| Indexer | Add-on only |
| Heavy Forwarder | Add-on only |
| Universal Forwarder | None |
https://splunk.paloaltonetworks.com/installation.html
from splunk-apps.
welcome-to-palo-alto-networks
commented on September 22, 2024
π Thanks for opening your first issue here! Welcome to the community!
from splunk-apps.
lamonica-a
commented on September 22, 2024
Is this also the case for a Single Instance Splunk Environment?
Also, could I configure this with just the Add-on installed on the Search head & Indexer, and not have the App installed on the Search head?
from splunk-apps.
paulmnguyen
commented on September 22, 2024
Yes, that is correct only the TA is needed for parsing. I'm not sure I understand your question in regards to the single instance environment.
from splunk-apps.
lamonica-a
commented on September 22, 2024
@paulmnguyen
https://docs.splunk.com/Documentation/Splunk/9.0.4/Overview/AboutSplunkEnterprisedeployments
Single-instance deployments
In small deployments, one instance of Splunk Enterprise handles all aspects of processing data, from input through indexing to search. A single-instance deployment can be useful for testing and evaluation purposes and might serve the needs of department-sized environments.
Distributed deployments
To support larger environments where data originates on many machines, where you need to process large volumes of data, or where many users need to search the data, you can scale the deployment by distributing Splunk Enterprise instances across multiple machines. This is known as a "distributed deployment".
In a typical distributed deployment, each Splunk Enterprise instance performs a specialized task and resides on one of three processing tiers corresponding to the main processing functions:
Data input tier
Indexer tier
Search management tier
from splunk-apps.
lamonica-a
commented on September 22, 2024
@paulmnguyen
Also, my SA confirmed that the Add-on is on all indexers located in βSlave Appsβ, and are installed on the search heads per the instructions for the Add-on.
What could be the issue?
from splunk-apps.
paulmnguyen
commented on September 22, 2024
Try running a search fro pan:* but set the time to "All Time"
from splunk-apps.
Related Issues (20)
- Incorrect Field Mapping - PAN Threat - User Field (mapped with http category - Sender) HOT 3
- App is not parsing the URI to create interesting fields HOT 1
- Where are the release notes for 8.1.0? HOT 5
- field offset wrong at src_user and source_name in transforms.conf HOT 2
- pan:config in default is broken
- Logs not being properly parsed when shipped from Panorama to Splunk HOT 8
- Splunk HEC PAN firewall events "_time" not matching configured "TimeGenerated" field HOT 2
- Minemeld feeds URL inputs not accepted HOT 3
- Version 8.1.0 not listed as Splunk Cloud compatible on Splunkbase HOT 5
- Splunk Cloud App Vetting Failing Due to File in "PaxHeader" Directories HOT 1
- The splunk_ta_paloalto requests package is claiming a dependency on Older chardet and urllib3 versions, please update to new versions. HOT 1
- Not getting data from Cortex
- IoT Security Input 'Interval' Not Used To Influence 'stime' All Data All The Time HOT 1
- PAN-OS Authentication Log Field Extractions
- SourceType Confusion
- Base Search in network_security.xml does not contain vendor_action so sink holing subsearch fails
- Logs have only sourcetype of pan:log HOT 1
- [Bug] Cortex Data > Splunk HEC event line breaks missing HOT 3
- PA firewall logs ingested in Splunk Cloud without field extractions HOT 2
- Duplicate field names in extraction for pan:globalprotect
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from splunk-apps.