All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the warning msg: -0600 or -0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]?

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎10-03-2018 06:01 PM

In my Splunk diag, I see a lot of warnings from my Palo Alto Networks Add-On:

-0600 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

or

-0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

What is this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎01-01-2019 01:47 AM

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎01-01-2019 01:47 AM

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

0 Karma
Reply
Solved! Jump to solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎10-03-2018 06:09 PM

This is a bug in the Palo Alto Networks Add-On App:

https://github.com/PaloAltoNetworks/Splunk_TA_paloalto/issues/27

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...