I performed a clean installation of the Palo Alto Networks App 6.0 & Palo Alto Networks Add-on 6.0 on Splunk 7.0 with CIM 4.9.1 but got the following error.
Note:
At this time I only have Panorama 8.x and Wildfire setup. I do not have the other inputs like AutoFocus setup.
Thanks for pointing this out to us. We will get this fix into a next release.
In the meantime the work around is to go to:
/$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/README/inputs.conf.spec
Remove these lines at the bottom of the file:
[threatlist://<name>]
description =
interval =
disabled =
type =
url =
You will also need to comment out everything in the "MildMeld Inputs" section of the Splunk_TA_paloalto/default/inputs.conf file.
After I removed those lines, when validating the cluster bundle for our index cluster, I received these errors:
`[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 23: description (value: MineMeld IPv4 threatlist indicators for Splunk ES).
[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 26: type (value: threatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 27: url (value: lookup://minemeld_ipv4threatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 30: description (value: MineMeld Domain threatlist indicators for Splunk ES).
[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 33: type (value: threatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_domainthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 34: url (value: lookup://minemeld_domainthreatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 37: description (value: MineMeld URL threatlist indicators for Splunk ES).
[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 40: type (value: threatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_urlthreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 41: url (value: lookup://minemeld_urlthreatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 44: description (value: MineMeld file threatlist indicators for Splunk ES).
[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 47: type (value: threatlist).
[Not Critical] Invalid key in stanza [threatlist://minemeld_filethreatlist] in D:\Splunk\etc\master-apps\Splunk_TA_paloalto\default\inputs.conf, line 48: url (value: lookup://minemeld_filethreatlist).`
After commenting out everything in the "MildMeld Inputs" section of the Splunk_TA_paloalto/default/inputs.conf file, the validation was successful.
(We're not using any of that functionality)
I am updating my answer to include commenting out the lines in inputs.conf.
This bug will be fixed in version 6.0.1
After removing those lines I get these errors when starting Splunk which is similar to the error the other person got. My setup is single instance for testing so no cluster.
Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 23: description (value: MineMeld IPv4 threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 26: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_ipv4threatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 27: url (value: lookup://minemeld_ipv4threatlist).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 30: description (value: MineMeld Domain threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 33: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_domainthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 34: url (value: lookup://minemeld_domainthreatlist).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 37: description (value: MineMeld URL threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 40: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_urlthreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 41: url (value: lookup://minemeld_urlthreatlist).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 44: description (value: MineMeld file threatlist indicators for Splunk ES).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 47: type (value: threatlist).
Invalid key in stanza [threatlist://minemeld_filethreatlist] in C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\default\inputs.conf, line 48: url (value: lookup://minemeld_filethreatlist).
Kent - I commented every line out in the MineMeld Inputs section that starts with "[threatlist://minemeld_ipv4threatlist]" down to the bottom of the file, and that took care of the errors. We don't use the MineMeld functionality, so it didn't affect us.
Same here. I did the upgrade to 6.0 App and Add On on Splunk 7.0 but my PA500 is only running 7.0.15
Same here. I did mine from an upgrade.
Thanks for opening this, can you tell me if you have Splunk Enterprise Security App installed? Also, any chance you can send a screenshot of the error?
Not sure about @Task1906 but I am running the Free version of Splunk (less than 500mb)
No, I do not have it installed.
Thanks, looking into this now. In the meantime it shouldn't cause any problems except to be very annoying. 🙂
Also my Web Activity now has no data were as before it did, not sure if that's related.