All Apps and Add-ons

Palo Alto Networks Add-on: How to stop "minemeld" lookup errors?

Glasses
Builder

I am on Splunk 7.3.3 and I installed the Palo Alto TA on the SH, FH, and IDX for field parsing.
The TA works but I am getting the following errors:

6 errors occurred while the search was executing. Therefore, search results might be incomplete
Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup
Could not load lookup=LOOKUP-minemeldfeeds_src_lookup

I only see these lookups under automatic lookups.
I am using Palo Alto TA add on 6.2.0.
I am not using the MineMeld Palo feature, so I am looking for a way to disable it and stop the errors.

Any advice is appreciated.

Thank you.

Labels (1)
0 Karma
1 Solution

panguy
Contributor

try commenting out line 125, 126 173, 174 from props.conf in Splunk_TA_paloalto. This answer works as of version 6.2.0 of the add-on.

View solution in original post

panguy
Contributor

try commenting out line 125, 126 173, 174 from props.conf in Splunk_TA_paloalto. This answer works as of version 6.2.0 of the add-on.

Glasses
Builder

fn awsome panguy!!! I cannot believe I missed that... problem solved...

Please convert to an answer, and if I had more points I would give you more...

0 Karma

panguy
Contributor

Have you tried disabling the automatic lookups from the "Lookups" setting page?

0 Karma

Glasses
Builder

there is no option to do that from the UI, I tried commenting them out but still get the error...

0 Karma

panguy
Contributor

Sorry, I didn't realize there is no option to disable it from the GUI. Commenting it out should work. Did you restart the instances?

0 Karma

panguy
Contributor

what lines did you comment out? I'm assuming your commenting props.conf

0 Karma

Glasses
Builder

we tried everything, disabled replication in collections.conf, props, transforms, everywhere, but if you know what to comment specifically I can go thru it again?

0 Karma

Glasses
Builder

yes but still no luck, the only thing that stops the errors is disabling the app...

0 Karma

Glasses
Builder

its referencing the indexer could not load the lookup = LOOKUP-minemeldfeeds_dest_lookup etc,
do you know if there is a way to create what is missing somewhere?

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...