Migration to Splunk add-on for Palo Alto Networks

There are 2 possible migration considerations regarding the Splunk add-on for Palo Alto Networks:

1. If you run both add-ons at the same time:

   • New add-on can be used as a POC, and then safely disabled if it no longer meets your requirements.
   • This could potentially break knowledge objects extractions.
   • This would create duplicate data until you disable the old add-on.

2. If you disable the Palo Alto supported add-on and only use the Splunk-supported add-on for Palo Alto Networks:

   • Knowledge objects work as desired.
   • There is a minimal data duplication.
   • You must disable the Palo Alto Networks supported add-on at the same start date and time of data collection in order to migrate modular inputs without any data loss.
   • You may have issues and cause potential data loss if you need to rollback the add-on.

Note

To ingest syslog data without any loss, you must first configure syslog input for the Splunk-supported add-on for Palo Alto Networks and only then disable the Palo Alto-supported add-on.

If you have already installed the Palo Alto Networks Add-on for Splunk in a Splunk instance and want to install Splunk add-on for Palo Alto Networks in the same Splunk instance, you must first:

• Disable inputs for the Palo Alto Networks Add-on for Splunk
• Disable the Palo Alto Networks Add-on for Splunk

This prevents clashing of modular inputs, data collection mechanisms, and sourcetypes in both add-ons.

To disable modular inputs for Palo Alto Networks Add-on for Splunk, navigate to the Inputs page and select “Disable”.

To disable the Palo Alto Networks Add-on for Splunk, navigate to Apps > Manage Apps and select “Disable” option for the add-on.

If both add-ons are enabled on the same Splunk instance, data duplication occurs for the sourcetype with the same names: pan:iot_alert, pan:iot_device, pan:iot_vulnerability, pan:xdr_incident

If you created syslog inputs in a local folder for the Palo Alto Networks Add-on, you must migrate them manually to the new add-on.

For changes in CIM mapping, see Add-on comparison page

Note

Changes in CIM may impact custom saved searches or dashboards.

For information about add-on configuration see:

• Configure IoT Security and Cortex XDR accounts in add-on
• Cortex XDR
• IoT Security
• Firewalls and Panorama
• Strata Logging Service

Note

For dashboards, use the Splunk-supported app for Palo Alto Networks.