In my Splunk diag, I see a lot of warnings from my Palo Alto Networks Add-On:
-0600 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.
or
-0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.
What is this?
This is a bug in the Palo Alto Networks Add-On App:
https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27
In the default props.conf, it has:
EVAL-url_length = if len(user_agent)
It should be:
EVAL-url_length = len(url)
You can create a local props.conf and add that to [pan:threat] as follows:
[pan:threat]
EVAL-url_length = len(url)
This is a bug in the Palo Alto Networks Add-On App:
https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27
In the default props.conf, it has:
EVAL-url_length = if len(user_agent)
It should be:
EVAL-url_length = len(url)
You can create a local props.conf and add that to [pan:threat] as follows:
[pan:threat]
EVAL-url_length = len(url)
This is a bug in the Palo Alto Networks Add-On App:
https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27
In the default props.conf, it has:
EVAL-url_length = if len(user_agent)
It should be:
EVAL-url_length = len(url)
You can create a local props.conf and add that to [pan:threat] as follows:
[pan:threat]
EVAL-url_length = len(url)