I just installed the Splunk for Palo Alto Network apps. I created a folder under c:\program files\Splunk\etc\apps\PAN. Created a default and local folder, placing the following files
props.conf savedsearches.conf transform.conf fields.conf
Now I can see the app and the reports in splunk, but am getting the following error when I try to run the reports.
TypeError: 'NoneType' object is unsubscriptable.
What Am I missing?
This is unexpected, and more of a troubleshooting problem than fits neatly in splunk answers.
It could be one of several underlying issues, including permissions. If you installed the app yourself, be sure the splunk user has access to the files that the app installed as.
The specific error you're seeing is a splunkweb fail of some kind. The web_service.log may have a useful exception which helps clarify.
The root problem is often being encountered by splunkd, however, and passed back up to splunkweb. splunkd.log may be full of interesting comments.
This app was built for 3.x, and may need some tweaking for 4.x. Consider lifing the search directly out of the savedsearches.conf and see what you get there, for starters.