Skip to main content


Aperture SaaS Security is supported starting with App/Add-on 6.0.0.

Aperture is cloud-hosted so logs are retrieved by Splunk using the Aperture logging API. Logs are pulled down in JSON format with sourcetype="pan:aperture" and eventtype="pan_aperture".

Create a Client App in Aperture

Use the instruction in the Aperture Administrator's Guide to create a Client App in your Aperture instance:

This action will provide you a Client ID and Client Secret. The Client Secret will be shown only once, so make sure to record it or you'll need to re-create the Client App to get a new Client Secret.

Add the credentials to Splunk

In Splunk, navigate to the Palo Alto Networks Add-on.

Once inside the Add-on, click the Configuration tab, and ensure you're on the Account tab. Click Add in the top right corner to add new credentials.

In the dialog window, enter the following:

Account nameAny friendly account name (eg. "Aperture_creds")
UsernameThe Client ID
PasswordThe Client Secret

Then click Add to save these credentials.

Create an Aperture input in Splunk

Within the Add-on, click the Inputs tab at the top left. Then click Create New Input and then select Aperture.

Enter the settings for the Aperture input:

NameAny friendly name (eg. "Aperture")
IntervalFrequency in seconds to check for new logs (60 seconds recommended)
IndexThe index in which to put the Aperture logs
Global AccountThe account you created in the previous step

Click Add to save the Aperture input.


After waiting the interval time, check that logs are coming into Splunk by clicking Search at the top and entering this search:


You should see some JSON formatted logs show up. If nothing shows up, wait a little longer, ensure there is activity in Aperture to generate logs, and try the Troubleshooting Guide.