I'm attempting to do a query to a KV store with the Python SDK's methods. I'm having an issue with passing along an operator and filter properly. The query I'm sending to the KV store is: {"$lte":{"Last_Update":str(age)}} Where Last_Update is an epoch time string inside of my KV store, and age is var for an epoch time I'm trying to filter against (generated by "age = int(time.time())-86400" When I run the query, I'm merely returned the entire KV store instead of the filtered data I desire. I've tried setting age as an int, and trying to format the query differently, however it has not had any effect on the results I'm seeing. If I do a splunk query of "|inputlookup my_kv_store where "age" (actual value from python) <= Last_Update" does work correctly though and gives me the results I'd expect. Anyone with any experience using this have any ideas where I'm going wrong? Unfortunately there doesn't appear to be any examples in the documentation of using the $lt, $lte, $gt, and $gte functions, nor within the framework of the Python SDK vs a standard REST call. ... View more

I'm attempting to filter my inputlookup command based on the amount of time that has passed between "now" (when the job is run) and a field in the table which is a integer representation of the epoch time. I'm attempting to do something like: |inputlookup my_kvstore where 2700<=now()-Last_PA_Send However, I'm getting the error: Error in 'SearchOperator:inputcsv': The ‘2700<=now()-Last_PA_Send’ filter could not be verified. It may contain invalid operators, or could not be optimized for search results. Any ideas how I could get a filter like this to work correctly and still utilize the performance benefits of a inputlookup filter? ... View more

Hello! I'm looking into using the Python SDK's KV store module to do some updating of a KV store. I've noticed that the insert & update functions are separate, leading me to asking this: How should I best go about updating a KV store and adding any potential records if there is no key match? Does the 'update' function create a new record if a key does not match, or would it return some kind of ValueError or something similar I can do a try/except loop for? Also are there any examples or guides out there for this functionality (apart from the reference manual which I've found)? I'd just like to see it in action so I can verify some other questions I had, such as should my "data" document string be the same JSON as I would put in the REST POST method? Thanks! ... View more

Hello, When attempting to distribute the Palo Alto Networks Add-on for Splunk, I'm receiving the following errors from Splunk regarding the push. This is on the currently deployed version of the Palo Alto Networks Add-on for Splunk on Splunkbase. I'm currently running 6.3.0.1. What ideas do you have or steps should I take to remediate this problem? Invalid key in stanza [pantag] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 18: param._cam (value: { "category" : ["Information Conveyance"], "task" : ["create", "delete", "allow", "block"], "subject" : ["network.firewall"], "technology" : [{"vendor":"Palo Alto Networks", "product":"Firewall"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }) Invalid key in stanza [panwildfiresubmit] in /opt/splunk/etc/master-apps/Splunk_TA_paloalto/default/alert_actions.conf, line 38: param._cam (value: { "category" : ["Information Gathering"], "task" : ["scan"], "subject" : ["process.sandbox"], "technology" : [{"vendor":"Palo Alto Networks", "product":"WildFire"}], "drilldown_uri" : "../myapp/myview?form.sid=$orig_sid$&form.rid=$orig_rid$", "supports_adhoc" : true }) Here is what the config file in question looks like: ... View more