All Apps and Add-ons

What is the warning msg: -0600 or -0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]?

rkantamaneni_sp
Splunk Employee
Splunk Employee

In my Splunk diag, I see a lot of warnings from my Palo Alto Networks Add-On:

-0600 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

or

-0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

What is this?

0 Karma
1 Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

View solution in original post

0 Karma

rkantamaneni_sp
Splunk Employee
Splunk Employee

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

0 Karma

rkantamaneni_sp
Splunk Employee
Splunk Employee

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...