https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/620474#M77952 <P>Hello all,<BR />I'm trying to install Palo Alto Add-On to integrate Cortex XDR on Splunk. I followed the steps in&nbsp;<A href="https://splunk.paloaltonetworks.com/cortex-xdr.html" target="_blank" rel="noopener">https://splunk.paloaltonetworks.com/cortex-xdr.html</A><BR />configured Tenant Name, API Key ID and API Key but when tries to retrieve events this error it's logged:<BR /><BR />File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/adapters.py", line 516, in send<BR />raise ConnectionError(e, request=request)<BR />requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api-https', port=443): Max retries exceeded with url: //<STRIKE>masked_tenant_name</STRIKE>.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/public_api/v1/incidents/get_incidents/ (Caused by NewConnectionError('&lt;urllib3.connection.VerifiedHTTPSConnection object at 0x7f1afcb645d0&gt;: Failed to establish a new connection: [Errno -2] Name or service not known'))<BR /><BR />As you can see, after the message "Max retries exceeded with url:" the URL doesn't contain "https:", well this cannot be the problem.<BR />The configuration it's this:<BR />Name = DEV_XDR<BR />Interval = 60<BR />Index = default<BR />Status = false<BR />Tenant Namehttps://<STRIKE>masked_tenant_name</STRIKE>.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/<BR />Tenant Region = <STRIKE>masked_tenant_region<BR /></STRIKE>API Key ID********<BR />API Key********<BR /><BR />I tried "curl" from server with add-on to the tenant URL, and the URL can be reached<BR /><BR />Before openning a case in Palo Alto, did anyone had this problem or similar before?</P> Fri, 11 Nov 2022 08:32:35 GMT rivars 2022-11-11T08:32:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/620474#M77952 <P>Hello all,<BR />I'm trying to install Palo Alto Add-On to integrate Cortex XDR on Splunk. I followed the steps in&nbsp;<A href="https://splunk.paloaltonetworks.com/cortex-xdr.html" target="_blank" rel="noopener">https://splunk.paloaltonetworks.com/cortex-xdr.html</A><BR />configured Tenant Name, API Key ID and API Key but when tries to retrieve events this error it's logged:<BR /><BR />File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/adapters.py", line 516, in send<BR />raise ConnectionError(e, request=request)<BR />requests.exceptions.ConnectionError: HTTPSConnectionPool(host='api-https', port=443): Max retries exceeded with url: //<STRIKE>masked_tenant_name</STRIKE>.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/public_api/v1/incidents/get_incidents/ (Caused by NewConnectionError('&lt;urllib3.connection.VerifiedHTTPSConnection object at 0x7f1afcb645d0&gt;: Failed to establish a new connection: [Errno -2] Name or service not known'))<BR /><BR />As you can see, after the message "Max retries exceeded with url:" the URL doesn't contain "https:", well this cannot be the problem.<BR />The configuration it's this:<BR />Name = DEV_XDR<BR />Interval = 60<BR />Index = default<BR />Status = false<BR />Tenant Namehttps://<STRIKE>masked_tenant_name</STRIKE>.xdr.<STRIKE>masked_tenant_region</STRIKE>.paloaltonetworks.com/<BR />Tenant Region = <STRIKE>masked_tenant_region<BR /></STRIKE>API Key ID********<BR />API Key********<BR /><BR />I tried "curl" from server with add-on to the tenant URL, and the URL can be reached<BR /><BR />Before openning a case in Palo Alto, did anyone had this problem or similar before?</P> Fri, 11 Nov 2022 08:32:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/620474#M77952 rivars 2022-11-11T08:32:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/620552#M77955 <P>Hello,&nbsp;<BR />I was able to solve this problem. In the "tenant name" filed when configuring, I added the full URL, not only the tenant name. That's the reason of duplicate URL in log.<BR />I configured just tenant name and now it's working fine.<BR />Thank you</P> Fri, 11 Nov 2022 08:31:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/620552#M77955 rivars 2022-11-11T08:31:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/670261#M80003 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249000">@rivars</a>&nbsp; You are a lifesaver! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Thu, 30 Nov 2023 07:26:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cortex-XDR-Add-On-installation/m-p/670261#M80003 Rakzskull 2023-11-30T07:26:17Z