All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Palo Alto Add On - Can't consume Autofocus feeds

wlcv
Observer
‎01-08-2021 12:21 PM

Hi all,

 

I configured an EDL and URL feed from Autofocus by following the steps in https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html.  However, when I try to review the details from the macros from the link above,  no results are returned.

 

From the log file: /opt/splunk/var/log/splunk/Splunk_TA_paloalto_minemeld_feed.log I get the following entry for the EDL feed:

2021-01-05 15:29:16,550 ERROR pid=208666 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/minemeld_feed.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 84, in collect_events
    mmf_entries = get_feed_entries(helper, name, start, stats)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 45, in inner
    ret_val = func(*args)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 157, in get_feed_entries
    feed_entries = resp.json()
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/models.py", line 897, in json
    return complexjson.loads(self.text, **kwargs)
  File "/opt/splunk/lib/python3.7/json/__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "/opt/splunk/lib/python3.7/json/decoder.py", line 340, in decode
    raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 1 column 4 (char 3)

 

From the URL feed, I get:

2021-01-08 12:12:19,748 ERROR pid=15255 tid=MainThread file=base_modinput.py:log_error:309 | Failed to get entries for "af_daily": 401 Client Error: Unauthorized for url: https://autofocus.paloaltonetworks.com/output/threatFeedResult?v=json&tr=1

 

I have verified/retried the credentials and the API key (for Autofocus) to confirm that I have the correct value.

 

 

Note: I do get results from accessing the EDL/URL feeds manually via cURL.

 

 

Please let me know what else I can try.

Labels (2)
Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...