I'm troubleshooting an error I get with SA-ThreatIntelligence in ES: in Data inputs » Threat Lists, I have several data inputs, i.e. URLs from which txt files are downloaded and then converted in csv files.
While the download is performed without errors, I keep on receiving this error during a following step (/opt/splunk/var/log/splunk/pythonmodularinput.log):
Do any of the downloads & merges function? If so, I would disabled all and turn them back on one by one until you narrow down to the threatlist download that is failing.
-disable all of the lists
-clone one of the disabled threatlist downloads and enable the clone. If that works then you may need to recreate the threatlist downloads. This fixed some of the custom threatlists that seemed to get stuck for me.