Solved: What is the warning msg: -0600 or -0700 WARN CalcF...

rkantamaneni_sp · ‎10-03-2018

In my Splunk diag, I see a lot of warnings from my Palo Alto Networks Add-On:

-0600 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

or

-0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.

What is this?

rkantamaneni_sp · ‎01-01-2019

This is a bug in the Palo Alto Networks Add-On App:

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

rkantamaneni_sp · ‎01-01-2019

This is a bug in the Palo Alto Networks Add-On App:

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

rkantamaneni_sp · ‎10-03-2018

This is a bug in the Palo Alto Networks Add-On App:

In the default props.conf, it has:

 EVAL-url_length = if len(user_agent)

It should be:

 EVAL-url_length = len(url)

You can create a local props.conf and add that to [pan:threat] as follows:

[pan:threat]
EVAL-url_length = len(url)

What is the warning msg: -0600 or -0700 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]?