Palo Alto app/TA installed across search/index cluster and on ES standalone head. Ran without problems for some time, but now we're seeing errors on the search cluster for ANY search in Splunk. Two errors per indexer:
Can anyone point me in the right direction for a solution to this? I've been digging and can't find an obvious reason for the error.
Thanks.
The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.
Thanks to the others for your responses.
The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.
Thanks to the others for your responses.
Sweet. Click Accept
on your answer to close the question.
I believe this came up when https://splunkbase.splunk.com/app/2757/ version 6.0.0 introduced Mime, which broke the props/transforms.conf. This has since been fixed in later versions. we use 6.0.2 with no issues now and also an updated version 6.1.x
You must add it in the right place. Go to Settings
-> Lookups
-> Lookup Definitions
and search for the reported lookup ( minemeldfeeds_dest_lookup
). There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app and the error will go away.