Hi all, I configured an EDL and URL feed from Autofocus by following the steps in https://splunk.paloaltonetworks.com/autofocus-and-minemeld.html. However, when I try to review the details from the macros from the link above, no results are returned. From the log file: /opt/splunk/var/log/splunk/Splunk_TA_paloalto_minemeld_feed.log I get the following entry for the EDL feed: 2021-01-05 15:29:16,550 ERROR pid=208666 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/minemeld_feed.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 84, in collect_events
mmf_entries = get_feed_entries(helper, name, start, stats)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 45, in inner
ret_val = func(*args)
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py", line 157, in get_feed_entries
feed_entries = resp.json()
File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/requests/models.py", line 897, in json
return complexjson.loads(self.text, **kwargs)
File "/opt/splunk/lib/python3.7/json/__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "/opt/splunk/lib/python3.7/json/decoder.py", line 340, in decode
raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 1 column 4 (char 3) From the URL feed, I get: 2021-01-08 12:12:19,748 ERROR pid=15255 tid=MainThread file=base_modinput.py:log_error:309 | Failed to get entries for "af_daily": 401 Client Error: Unauthorized for url: https://autofocus.paloaltonetworks.com/output/threatFeedResult?v=json&tr=1 I have verified/retried the credentials and the API key (for Autofocus) to confirm that I have the correct value. Note: I do get results from accessing the EDL/URL feeds manually via cURL. Please let me know what else I can try.
... View more