Skip to main content
Lantern Home

 

Splunk Lantern

Transforming Palo Alto Networks firewall data with Data Management Pipeline Builders

  1. Last updated
  2. Save as PDF

Whether you’re filtering out verbose traffic logs or eliminating unnecessary events, Splunk Edge Processor (customer-hosted) and Splunk Ingest Processor (Splunk-hosted Saas) let you filter, transform, and optimize Palo Alto Networks (PAN) firewall logs before routing them to the Splunk platform or Amazon S3 for cost-effective storage.

With just a few clicks, you can apply pre-built templates to:

  • Reduce excessive log ingestion and optimize Splunk license consumption.
  • Enhance search performance by keeping only the most valuable security events.
  • Route processed data directly to the Splunk platform for real-time insights or to Amazon S3 for low-cost, long-term retention (with the option to query later via FS-S3 if needed).

Data required

Palo Alto Networks firewall data

Prerequisites 

Before you start writing an SPL2 pipeline to process and transform incoming logs, configure Edge Processor to natively listen for events coming over syslog by:

  • Opening a port to listen for syslog traffic on the Edge Processor node;
  • Configuring your device/application to send syslog data to Edge Processor; and
  • Configuring Edge Processor to listen for syslog feed on the opened port. 

You'll also need to verify that you have access to Splunk Data Management and can log in to your tenant (learn more). 

How to use Splunk software for this use case

Watch this video or follow the written steps below to use a pre-built pipeline template to filter PAN logs.

Step 1: Confirm the current state of PAN logs

Run a quick search for incoming PAN logs using syslog. You'll likely see:

  • All logs share a generic source type (example: pan:firewall)
  • No proper field extractions
  • Minimal search-time knowledge (only metadata fields like _index, _sourcetype, etc.)

clipboard_ec7d39160f049f4fc9b2fc43cb024a780.png

Step 2: Open Ingest Processor and create a pipeline

  1. Go to Data Management > Ingest Processor > Receive Data.
  2. Confirm that PAN firewall events are being ingested.
  3. Navigate to Pipelines, and click Create Pipeline.

Step 3: Use a PAN template to classify logs

  1. In the template picker, search for Palo Alto.
  2. Select the PAN Classification Template (example: pan_classify_events_template).
  3. Set the partition to the actual source type seen in your PAN logs (example: pan:firewall).

Step 4: Capture a live snapshot for previewing

  1. Choose Live Capture and click Capture New Snapshot.
  2. Name it something like pan_snapshot and set a short capture duration.
  3. Proceed to the next step with the snapshot selected.

clipboard_e16530b82a1212c817850e7cf278b0942.png

Step 5: Skip metrics, set destination index

  1. Skip the metrics destination step unless you're routing to a metrics index.
  2. Select the Splunk indexer destination for PAN logs (use an existing index or create one like pan_logs_index).
  3. Leave other options as default.

Step 6: Preview and apply the pipeline

Click Preview to review how the template transforms your data. You’ll now see:

  • Correct source types applied
  • Index reassignment as per classification
  • Fields extracted using the installed PAN TA

Click Save, name it something like pan_classify, and confirm when prompted to apply the pipeline.

clipboard_e129b03b90bd3b7b6a1b94ffbdaf3276d.png

Step 7: Validate the classification results

Wait a few minutes for new data to flow in, then refresh your dashboard or search. You should now see:

  • PAN events split across correct source types
  • Field extractions visible in “Interesting Fields”
  • Events routed to proper indexes

Step 8: (Optional) Optimize log size with another template

  1. Remove the classification-only pipeline if needed.
  2. Create a new pipeline using the PAN Optimize Log Size Template (example: pan_optimize_log_size_template).
  3. Set source type and snapshot as before.
  4. Preview (if applicable), then click Save and Apply.

Step 9: Review optimization results

  1. Open your log size analysis dashboard (or create one).
  2. Compare event size before and after optimization.

clipboard_e97c710d69ce7ff257299faf15f57da0e.png

Next steps

These resources might help you understand and implement this guidance: