I was able to track this down to authentication/permissions from my splunk box to the minemeld feed URL. My desktop had authenticated and had access, but the Splunk TA had not. Here's the logfiles + entries that helped me track it down:
grep UNAUTHORIZED /opt/splunk/var/log/splunk/Splunk_TA_paloalto_minemeld_feed.log
2018-04-26 10:54:06,935 ERROR pid=14717 tid=MainThread file=base_modinput.py:log_error:307 | Failed to get entries for "AFtest": 401 Client Error: UNAUTHORIZED for url: https://redacted.paloaltonetworks-app.com/feeds/AF-Ransomware-FeedHCRedWithValue-IPv4?tr=1&v=json
I used a different minemeld feed with less restrictive access controls and it seems to be working correctly:
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | START Splunk_TA_paloalto indicator retrieval for "AF_o365_IPv4"
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,314 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | Removing 502 previous entries for MineMeld feed "AF_o365_IPv4"
2018-05-03 18:20:15,316 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,366 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,665 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | Saving 502 entries for MineMeld feed "AF_o365_IPv4"
2018-05-03 18:20:15,665 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,712 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,743 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | END Splunk_TA_paloalto indicator retrieval for "AF_o365_IPv4"
... View more