Thanks to @fverdi for the tip. The error seems to be due to the empty automatic lookup. So I added a dummy entry into the minemeldfeeds kvstore collection to get rid of the warning message when searching the paloalto data in splunk. Here's the curl command to add the entry. Just remember to remove the entry if you enable the minemeld feeds. curl -k -u admin https://<SEARCH-HEAD>:8089/servicesNS/nobody/Splunk_TA_paloalto/storage/collections/data/minemeldfeeds -H "Content-Type: application/json" -d '{ "myKey": "temp" , "description": "remove this entry from this collection when enabling minemeld feeds"}
... View more