Skip to main content

Set Up Splunk for AI Discovery

AI Gateway's AI Discovery finds the AI agents and remote MCP servers in use across your network by reading your Palo Alto firewall logs from Splunk. For that to work, Splunk (Enterprise or Cloud) needs to receive the firewall's logs and sourcetype them as pan:traffic and pan:threat (with log_subtype=url) — the events AI Discovery reads.

This is the build it from scratch guide. Steps 1–4 get data flowing and correctly typed; steps 5–6 verify it and create the read-only token AI Discovery uses to connect. Configure the firewall to forward Traffic and URL/threat logs first.

If Palo Alto data already flows into Splunk and is correctly sourcetyped, you can skip straight to creating the read-only token in step 6.

1. Prerequisites

  • Admin on Splunk Enterprise (admin role) or Splunk Cloud Platform (sc_admin).
  • The firewall configured to forward Traffic and URL/threat logs. The recommended setup forwards directly from the firewall over syslog/TCP (no intermediate forwarder), so the TCP input (step 4) is the primary input — it's the Splunk Add-on's native ingestion path.

2. Install the Splunk Add-on for Palo Alto Networks (required)

Install the Splunk Add-on for Palo Alto Networks (Splunkbase app 7523, the Splunk-supported add-on; the older Splunk_TA_paloalto is deprecated). The add-on does the index-time sourcetyping and field extraction that turn raw Palo Alto events into pan:traffic, pan:threat, pan:globalprotect, and so on, with the field names AI Discovery relies on (url, app, category, dest, user, http_user_agent). It first tags events as pan:log, then re-types them to the specific sourcetypes by content.

  • Splunk Enterprise: install the add-on on the search head(s) and indexer(s) (heavy forwarders are supported; universal forwarders are not). Install via Apps → Find More Apps, or download from Splunkbase, unpack into $SPLUNK_HOME/etc/apps, and restart.
  • Splunk Cloud: install from Apps → Find More Apps (self-service) or via a support request; the index-time work runs on the Splunk-managed indexing tier.

Docs: Splunk Add-on for Palo Alto Networks (Splunkbase 7523) · Installation overview · Source types.

3. Create the index (required)

Create an events index for the Palo Alto logs — the recommended convention is pan_logs. A dedicated index keeps the data easy to scope and lets you grant AI Discovery's token least-privilege read on just that index.

The name must be a valid Splunk index name: lowercase letters, digits, _, and -, not starting with _ or -, and never containing kvstore.

  • Enterprise: Settings → Indexes → New Index, name pan_logs, type Events, Save. (On an indexer cluster, edit indexes.conf on the cluster master instead.)
  • Cloud: Settings → Indexes → New Index, name pan_logs.

Docs: Create custom indexes (naming rules).

4. Create the data input matching the firewall feed (required)

Create the input that receives the firewall's logs and routes them to pan_logs with the correct sourcetype. This is the receiving end of the firewall's Log Forwarding Profile, and it must produce pan:traffic and pan:threat (with log_subtype=url) so the add-on's extractions and AI Discovery's queries line up.

Create a TCP data input that receives the firewall's syslog and routes it to pan_logs with the add-on's pan:log sourcetype.

  1. Settings → Data Inputs → TCP → New Local TCP: set Port = 5514, and under Accept connections from restrict to the firewall's address so only the NGFW can send. Click Next.
  2. On Input Settings, set Index = pan_logs and Sourcetype = pan:log — the add-on re-types pan:log into pan:traffic / pan:threat by content. Save.
  3. This is the receiving end of the firewall's syslog server profile.

Docs: Get data from TCP and UDP ports.

5. Verify ingestion

Generate some AI traffic, then confirm the sourcetypes and the URL subtype with these searches in Splunk:

| tstats count WHERE index=pan_logs sourcetype=pan:* BY sourcetype
index=pan_logs sourcetype=pan:threat log_subtype=url | stats count

Expect nonzero pan:traffic and pan:threat, and a nonzero URL count. If the URL count is zero, revisit the URL-Filtering profile and its alert actions on the firewall.

Not using the Add-on (Cribl or custom ingestion)? If your pipeline lands events in a different index, re-sourcetypes them, or renames fields, the schema is configurable — AI Discovery lets you point at a non-default index, sourcetypes, or renamed fields.

6. Create the least-privilege read-only REST token

Enable token authentication and mint a read-only token scoped to pan_logs. AI Discovery authenticates to search/jobs on :8089 with Authorization: Bearer <token>, so a least-privilege, finite-expiry token limits the blast radius.

  • Enterprise: Settings → Tokens → enable token auth, then New Token for a dedicated read-only service account whose role can search only pan_logs / pan:traffic / pan:threat. Give it a finite expiry and a rotation plan.
  • Splunk Cloud: also enable REST API access for the stack and add AI Discovery's outbound IP to the search-API allowlist. The endpoint is https://<stack>.splunkcloud.com:8089.

Provide this token to AI Gateway when you configure the AI Discovery data source.

Docs: Use authentication tokens · Splunk Cloud REST API access.

Last updated on