All Apps and Add-ons
Highlighted

Where to create the modular input for Palo Alto Minemeld?

Path Finder

Hi everybody,

I have a search head cluster and deployed the Palo Alto add-on and app. Some features rely on modular inputs that put data into the KV store, like Autofocus Export and Minemeld. Since I do not have a dedicated search head just for the PA app I have to enable these inputs somehow on a search head. Where in an Search Head Cluster should I do this? Pick one random search head in the cluster? Are there best practices for this?

Thanks!

  • Michael
Highlighted

Re: Where to create the modular input for Palo Alto Minemeld?

Explorer

I am having same problem. I did pick one search head but now i am getting error on "SplunkTApaloaltominemeldfeed.log"

2018-03-13 11:30:50,687 INFO pid=4798 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-03-13 11:30:51,633 ERROR pid=4798 tid=MainThread file=base_modinput.py:log_error:307 | Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 113, in stream_events
    self.parse_input_args(input_definition)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 152, in parse_input_args
    self._parse_input_args_from_global_config(inputs)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/modinput_wrapper/base_modinput.py", line 171, in _parse_input_args_from_global_config
    ucc_inputs = global_config.inputs.load(input_type=self.input_type)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 264, in load
    self._references = Configs(self._splunkd_client, self._schema).load()
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 355, in load
    config['entity']
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunktaucclib/global_config/configuration.py", line 175, in _load_endpoint
    **query
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 287, in wrapper
    return request_fun(self, *args, **kwargs)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 69, in new_f
    val = f(*args, **kwargs)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 665, in get
    response = self.http.get(path, self._auth_headers, **query)
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 1160, in get
    return self.request(url, { 'method': "GET", 'headers': headers })
  File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/packages/splunklib/binding.py", line 1221, in request
    raise HTTPError(response)
HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.rest_handler.error.RestError'>\" from python handler: \"REST Error [500]: Internal Server Error -- Migrating failed. Traceback (most recent call last):\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 18, in handle\n    return func(*args, **kwargs)\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 70, in _migrate\n    self._migrate_conf_credential()\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 160, in _migrate_conf_credential\n    conf_file, stanzas = self._load_conf(conf_file_name)\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/splunk_aoblib/rest_migration.py\", line 177, in _load_conf\n    stanzas = conf_file.get_all()\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/utils.py\", line 154, in wrapper\n    return func(*args, **kwargs)\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/conf_manager.py\", line 236, in get_all\n    key_values = self._decrypt_stanza(name, stanza_mgr.content)\n  File \"/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/solnlib/conf_manager.py\", line 121, in _decrypt_stanza\n    self._cred_mgr.get_password(stanza_name))\n  File \"/opt/splunk/lib/python2.7/json/__init__.py\", line 339, in loads\n    return _default_decoder.decode(s)\n  File \"/opt/splunk/lib/python2.7/json/decoder.py\", line 364, in decode\n    obj, end = self.raw_decode(s, idx=_w(s, 0).end())\n  File \"/opt/splunk/lib/python2.7/json/decoder.py\", line 382, in raw_decode\n    raise ValueError(\"No JSON object could be decoded\")\nValueError: No JSON object could be decoded\n\".  See splunkd.log for more details."}]}