All Apps and Add-ons

Palo Alto Networks Add-on "Unable to initialize modular input"

dlauschke
Explorer

After the installation of the Palo Alto Networks Add-on for Splunk I'm getting a message saying:

Unable to initialize modular input "minemeld_feed" defined in the app "Splunk_TA_paloalto": Introspecting scheme=minemeld_feed: script running failed (exited with code 1)

The Add-on is not doing anything in the web interface. I've tried reinstalling it and also installing an older version, but the error stays the same.

0 Karma
1 Solution

dlauschke
Explorer

I figured it out, the Add-on does not work with Python 3. Setting Python 2 in the server.conf solved the problem.

View solution in original post

dlauschke
Explorer

I figured it out, the Add-on does not work with Python 3. Setting Python 2 in the server.conf solved the problem.

anandhalagaras1
Communicator

@dlauschke ,

I have just upgraded my Heavy Forwarder server from 7.3.1 to 8.1.2 version. And we have the  add-on already installed in our Heavy Forwarder server.

Splunk_TA_paloalto   6.1.1 version

So post upgrade of my Heavy Forwarder server i am getting the same error as below:

Unable to initialize modular input "minemeld_feed" defined in the app "Splunk_TA_paloalto": Introspecting scheme=minemeld_feed: script running failed (exited with code 1)..

So you have mentioned to update the server.conf with python 2.7 version so actually in which place (server.conf) we need to point out to the Python 2.7 either in the add-on or somewhere else kindly let us know.

Kindly help.

0 Karma

dlauschke
Explorer

Hi @anandhalagaras1 ,

the file I've changed was under system>local>server.conf, so that the whole splunk instance is running with the old python version.

But now I'm using the latest Palo Alto App + Add-on version 6.6.0, which works fine with python3.

I wish you the best of luck with your problem!

anandhalagaras1
Communicator

Thank you I have upgrade the add-on to the latest version post which it is working fine as expected.

 

Thanks for your prompt response.

0 Karma

dlauschke
Explorer

Here is some additional information from the logs that reappears everytime splunk is restarted:

  • 03-19-2020 17:11:28.998 +0100 INFO SpecFiles - Found external scheme definition for stanza="minemeld_feed://" from spec file="C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\README\inputs.conf.spec" with parameters="feed_url, indicator_timeout, credentials"
  • 03-19-2020 17:11:28.404 +0100 ERROR ModularInputs - Unable to initialize modular input "minemeld_feed" defined in the app "Splunk_TA_paloalto": Introspecting scheme=minemeld_feed: script running failed (exited with code 1)..
  • 03-19-2020 17:11:28.404 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: script running failed (exited with code 1).
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: ModuleNotFoundError: No module named 'urllib2'
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: import urllib2
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\solnlib\splunk_rest_client.py", line 24, in
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: from . import splunk_rest_client as rest_client
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\solnlib\acl.py", line 21, in
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: from . import (
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\solnlib_init_.py", line 19, in
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: from solnlib.packages.splunklib import modularinput as smi
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\modinput_wrapper\base_modinput.py", line 10, in
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: import modinput_wrapper.base_modinput
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\minemeld_feed.py", line 9, in
  • 03-19-2020 17:11:28.389 +0100 ERROR ModularInputs - Introspecting scheme=minemeld_feed: Traceback (most recent call last):
  • 03-19-2020 17:11:26.826 +0100 INFO SpecFiles - Found external scheme definition for stanza="minemeld_feed://" from spec file="C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\README\inputs.conf.spec" with parameters="feed_url, indicator_timeout, credentials"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...