- This documentation is deprecated in Splunk App and Add-on version 6.0.
- The latest documentation is now available here: http://splunk.paloaltonetworks.com/upgrade.html
Most upgrades don’t require any special action. Just upgrade like any other Splunk app. For the versions below, there are some considerations or actions needed to migrate to the new version.
Upgrade to App Version 5.0¶
This applies if upgrading from a pre-5.0 version of this app to 5.0.0 or higher.
Starting with App v5.0.0, the App now requires the Palo Alto Networks Add-on for Splunk. The required version of the TA is always listed in the README.md file in the Palo Alto Networks App, and in the Release Notes, and this Add-on is always included in the App.
You do not need to install the Add-on (TA) separately. It is installed or upgraded automatically when the Palo Alto Networks App v5.0.0 or higher is installed.
ACTION REQUIRED: You must remove the deprecated TA, called TA_paloalto. This usually applies if you use Splunk Enterprise Security version 3.x because it comes with TA_paloalto. Recreate any inputs from the old TA in the new TA using the instructions in the Getting Started guide. Check the apps directory in Splunk and take the necessary action according to the table:
|Existing TA||Action Needed|
|TA_paloalto||Delete this TA directory, recreate data inputs in new TA|
|Splunk_TA_paloalto||No action required, TA is upgraded automatically by App|
|No TA installed||No action required, TA is installed automatically by App|
The new App 5.0 and Add-on 3.5 do not use the
pan_logs index that previous
versions used. Now, logs can be stored in any index. Since the App no longer
specifies the pan_logs index, if you are upgrading, you will need to specify
the index yourself.
ACTION REQUIRED: Create a new index called
pan_logs using the
Splunk GUI or on the command line. Also, in your Splunk role settings, add the
pan_logs index to the list of Indexes searched by default.
Splunk will not overwrite the data previously indexed, and you will have
access to all the data indexed before the upgrade. Logs will continue to be
stored in the
pan_logs index according to the data inputs from the
previous App version, unless otherwise specified. The data input can
optionally be changed to store logs in a different index.
Results still might not show up during a search. This is because the
pan_logs index is not searched by default. To add the
to the list of indexes searched by default, in your Splunk settings, navigate
to Access controls -> Roles -> <your role>. Scroll down to the
section Indexes searched by default. Move
All non-internal indexes) to the right column.
The lookups have been moved to the Add-on (TA). However, Splunk Enterprise does not remove lookup tables during the upgrade process. So you must remove the lookup tables from the App after the upgrade, or you will see errors while searching within the App.
ACTION REQUIRED: Delete any lookups in the App that you did not create.
If you did not create any lookups in the App directory, then you can safely
delete the entire lookup directory from the App. The path to the lookup
rm -rf $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/lookups
The sourcetype format has changed:
|Old sourcetype||New sourcetype|
No action is required. The old sourcetypes will be interpreted as the new
sourcetype automatically. Optionally the data input can be changed to store
logs with the sourcetype
pan:log instead of
pan_log. This is more
correct, but will not change the way logs are retrieved from the index.
The data input should only specify pan:log or pan_log for the sourcetype. The logs are automatically parsed into the other sourcetypes (pan_traffic, pan_threat, etc) by the Add-on, so they should not be referenced in the data input.
Upgrade to App Version 4.1¶
This applies if upgrading from a pre-4.1 version of this app to 4.1.0 or higher.
Starting in version 4.1 of this app, all of the dashboards use the Splunk 6 Datamodel feature, which allows for pivot of Palo Alto Networks data and better control and acceleration of summary indexes used by the dashboards. This replaces the TSIDX feature from Splunk 5.
After upgrade to 4.1 or higher, you may delete the TSIDX files that were
generated by the previous version of the app. To delete the TSIDX files,
$SPLUNK_HOME$/var/lib/splunk/tsidxstats/ and remove any
directories that start with
pan_. There could be up to 10 directories.
Splunk will backfill the datamodel with historic data up to 1 year old. It may take some time for historic data to show up in the dashboards, but it will be available in the pivot interface and search immediately. The time range for historic data to be available in the dashboards can be adjusted in the datamodel accelerations settings.
If you have customized the built-in dashboards of a previous app version,
then they will no longer work because the customized dashboards will still
use TSIDX. Remove your custom dashboards from the
local directory of the
app to use the new datamodel-based dashboards. You can add your
customizations to the new dashboards.