Solved: Proofpoint TAP modular app input: Error updating i...

konstr · ‎11-30-2020

We are trying to ingest logs from Proofpoint TAP using the available addon. We have successfully created the TAP input in our Splunk Cloud but we see no data coming in.

Upon further inspection the following error appears every time the input runs.

11-30-2020 13:27:57.345 +0000 ERROR ExecProcessor [11603 ExecProcessor] - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://TAP_proofpoint_test: stream_events/proofpoint_tap_siem://TAP_proofpoint_test: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "python.version" is not supported by this handler.

Any idea of what the problem might be and how we can fix it?

konstr · ‎12-07-2020

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

View solution in original post

konstr · ‎12-07-2020

We managed to solve the issue eventually. It seems that Splunk support did not install the latest available version of the TA to our Splunk Cloud instance. Even though the version they installed was still compatible with version 8.1 of Splunk it was not working with Splunk Cloud. Once the TA was updated everything started working as expected.

subvocal · ‎12-07-2020

I'm happy to hear that it's now working! Thanks for sharing what the issue was and how to fix it.

subvocal · ‎11-30-2020

Hi @konstr - To rule out any sort of issue with communication and verify that the problem is with the configuration of the client, would you mind running the following command from the Splunk command line?

curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&sinceSeconds=3600" --user "principal:secret" -s

- change principal:secrt to the appropriate values. If that's working, it tells us the credentials and the communication is proper. If this is successful, I suggest opening a ticket with Proofpoint support for additional assistance. We can share the final solution here for the community.

konstr · ‎12-01-2020

Hi @subvocal, thank you for the reply. I have already tried manual curling the API and I can verify that the credentials are working and there is no problem with the communication/authentication.

On top of that, I have tried to set the input on a local Splunk Dev instance with success and the add-on is working fine. The problem seems to be when using the add-on in Splunk Cloud (dev instance was on-pre Splunk enterprise).

We have chased it up internally and contacted Proofpoint. I will update this, once we find a solution.

Proofpoint TAP modular app input: Error updating inputs.conf: HTTP 400 Bad Request -- Argument "pyt

configuration

development

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation