Hi everybody,
I have a search head cluster and deployed the Palo Alto add-on and app. Some features rely on modular inputs that put data into the KV store, like Autofocus Export and Minemeld. Since I do not have a dedicated search head just for the PA app I have to enable these inputs somehow on a search head. Where in an Search Head Cluster should I do this? Pick one random search head in the cluster? Are there best practices for this?
Thanks!
I am having same problem. I did pick one search head but now i am getting error on "Splunk_TA_paloalto_minemeld_feed.log"
2018-03-13 11:30:50,687 INFO pid=4798 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-03-13 11:30:51,633 ERROR pid=4798 tid=MainThread file=base_modinput.py:log_error:307 | Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 113, in stream_events
self.parse_input_args(input_definition)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 152, in parse_input_args
self._parse_input_args_from_global_config(inputs)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 171, in _parse_input_args_from_global_config
ucc_inputs = global_config.inputs.load(input_type=self.input_type)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 264, in load
self._references = Configs(self._splunkd_client, self._schema).load()
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 355, in load
config['entity']
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 175, in _load_endpoint
**query
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 287, in wrapper
return request_fun(self, *args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 69, in new_f
val = f(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 665, in get
response = self.http.get(path, self._auth_headers, **query)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 1160, in get
return self.request(url, { 'method': "GET", 'headers': headers })
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 1221, in request
raise HTTPError(response)
HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.rest_handler.error.RestError'>\" from python handler: \"REST Error [500]: Internal Server Error -- Migrating failed. Traceback (most recent call last):\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 18, in handle\n return func(*args, **kwargs)\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 70, in _migrate\n self._migrate_conf_credential()\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 160, in _migrate_conf_credential\n conf_file, stanzas = self._load_conf(conf_file_name)\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 177, in _load_conf\n stanzas = conf_file.get_all()\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/conf_manager.py\", line 236, in get_all\n key_values = self._decrypt_stanza(name, stanza_mgr.content)\n File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/conf_manager.py\", line 121, in _decrypt_stanza\n self._cred_mgr.get_password(stanza_name))\n File \"/opt/splunk/lib/python2.7/json/__init__.py\", line 339, in loads\n return _default_decoder.decode(s)\n File \"/opt/splunk/lib/python2.7/json/decoder.py\", line 364, in decode\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\n File \"/opt/splunk/lib/python2.7/json/decoder.py\", line 382, in raw_decode\n raise ValueError(\"No JSON object could be decoded\")\nValueError: No JSON object could be decoded\n\". See splunkd.log for more details."}]}