We have a distributed deployment with both indexer and search head clusters. Splunk App for Palo Alto is installed on the search heads while the TA-paloalto is installed on the indexers. The TA is extracting fields on the indexers with props.conf:
[pan_traffic]
REPORT-0auto_kv_for_pan_traffic =
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_NAMES = "receive_time", "serial", "type", "subtype", "config_ver", "time_generated", "src_ip","dest_ip", "src_translated_ip", "dest_translated_ip", "rule", "src_user", "dest_user",...........
My problem is, I can see all the fields in Search and Report context only when the App is enabled. But why is that the case considering the TA is on the indexers?
↧