All Apps and Add-ons

Palo Alto Networks Add-on: How to stop "minemeld" lookup errors?

Glasses
Builder

I am on Splunk 7.3.3 and I installed the Palo Alto TA on the SH, FH, and IDX for field parsing.
The TA works but I am getting the following errors:

6 errors occurred while the search was executing. Therefore, search results might be incomplete
Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup
Could not load lookup=LOOKUP-minemeldfeeds_src_lookup

I only see these lookups under automatic lookups.
I am using Palo Alto TA add on 6.2.0.
I am not using the MineMeld Palo feature, so I am looking for a way to disable it and stop the errors.

Any advice is appreciated.

Thank you.

Labels (1)
0 Karma
1 Solution

panguy
Contributor

try commenting out line 125, 126 173, 174 from props.conf in Splunk_TA_paloalto. This answer works as of version 6.2.0 of the add-on.

View solution in original post

panguy
Contributor

try commenting out line 125, 126 173, 174 from props.conf in Splunk_TA_paloalto. This answer works as of version 6.2.0 of the add-on.

Glasses
Builder

fn awsome panguy!!! I cannot believe I missed that... problem solved...

Please convert to an answer, and if I had more points I would give you more...

0 Karma

panguy
Contributor

Have you tried disabling the automatic lookups from the "Lookups" setting page?

0 Karma

Glasses
Builder

there is no option to do that from the UI, I tried commenting them out but still get the error...

0 Karma

panguy
Contributor

Sorry, I didn't realize there is no option to disable it from the GUI. Commenting it out should work. Did you restart the instances?

0 Karma

panguy
Contributor

what lines did you comment out? I'm assuming your commenting props.conf

0 Karma

Glasses
Builder

we tried everything, disabled replication in collections.conf, props, transforms, everywhere, but if you know what to comment specifically I can go thru it again?

0 Karma

Glasses
Builder

yes but still no luck, the only thing that stops the errors is disabling the app...

0 Karma

Glasses
Builder

its referencing the indexer could not load the lookup = LOOKUP-minemeldfeeds_dest_lookup etc,
do you know if there is a way to create what is missing somewhere?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...