Configure the Data Model used by the Splunk App for Palo Alto Networks

Many of the visualization in the Splunk App for Palo Alto Networks use the pan_firewall Data Model, you must enable data model acceleration to see data in the dashboards. The data model acceleration is not enabled by default.

Enable it using the following steps:

1. Navigate to Settings -> Datamodels and locate the Palo Alto Networks Firewall Logs Data Model

2. Under Actions, select Edit Acceleration

3. Click the checkbox next to Accelerate and set the Summary Range to 7 days.

4. Click Save

5. It may take a few minutes for the acceleration to complete. To check the status of the acceleration, expand Palo Alto Networks Firewall Logs and locate the status under Acceleration.

The time period represents how much data will show in the dashboards, and has a significant impact on storage usage. If unsure, set the acceleration time period to 7 days.

Data Model acceleration is not required if using the Add-on only.

In cases where data model acceleration is not possible, the macro pan_summariesonly needs to be updated. To update the macro, use the following steps:

1. Navigate to Settings -> Advanced search -> Search macros and locate pan_summariesonly

2. Click pan_summariesonly to open settings and replace the definition with summariesonly=false

3. Click Save