Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error with the pancontentpack search command. No results returned and Return error code 1 #222

Closed
bvarni opened this issue Nov 2, 2021 · 4 comments · Fixed by #225
Closed

Error with the pancontentpack search command. No results returned and Return error code 1 #222

bvarni opened this issue Nov 2, 2021 · 4 comments · Fixed by #225
Assignees
@paulmnguyen
Labels
bug released

Comments

@bvarni
Copy link

bvarni commented Nov 2, 2021

After upgrading the SplunkforPaloAltoNetworks app and the Splunk_TA_paloalto add-on to version 6.6.2 on Splunk Enterprise version 8.1.5, the pancontentpack search command fails. No results are returned.

The Firewall user is configured within the add-on, using the same credentials that worked on the previous version of the app and add-on. The search command also fails testing in the dev environment for version 7.0.3 of the app/add-on and Splunk Enterprise version 8.2.2.1.

Splunk search:
| pancontentpack panorama.myorg.net threats

Error in the search UI window:
External search command 'pancontentpack' returned error code 1. .

Errors in search.log:
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': Traceback (most recent call last):
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': File "/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py", line 231, in
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': main()
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': File "/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py", line 220, in main
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': csv = parse_threats(threat_xml)
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': File "/opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py", line 167, in parse_threats
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': a[key] = string_types(a[key])
11-02-2021 16:11:46.436 ERROR ScriptRunner [25740 phase_1] - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/SplunkforPaloAltoNetworks/bin/panContentPack.py panorama.myorg.net threats': TypeError: 'tuple' object is not callable
11-02-2021 16:11:46.956 ERROR script [25740 phase_1] - sid:1635869484.26 External search command 'pancontentpack' returned error code 1. .

Previous app version and Splunk version (Splunk search completes as expected, returning results):
App/Add-on version - 6.1.0
Splunk Enterprise version - 7.3.0
@bvarni bvarni added the bug label Nov 2, 2021
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@paulmnguyen paulmnguyen self-assigned this Nov 10, 2021
@paulmnguyen
Copy link
Contributor

Hey bvarni, Thank you creating the issue. I am investigating this and will update you once we have a solution.

paulmnguyen added a commit that referenced this issue Dec 7, 2021
@paulmnguyen
fix(app): Fix panContentPack error. Fixes #222
fffca9b
@paulmnguyen paulmnguyen mentioned this issue Dec 7, 2021
Merged
4 tasks
@paulmnguyen
Copy link
Contributor

Fix is currently under review will merge and push a new release when review is complete.

paulmnguyen added a commit that referenced this issue Dec 9, 2021
@paulmnguyen
fix(app): Fix bug #222
b2d5733
paulmnguyen added a commit that referenced this issue Dec 15, 2021
@paulmnguyen
fix(app): Fix panContentPack error. Fixes bug #222
9250eff 
* fix(app): Fix panContentPack error. Fixes bug #222
Closes PR #225
github-actions bot pushed a commit that referenced this issue Dec 27, 2021
@semantic-release-bot
chore(release): 7.0.4
15a1cc2 
### [7.0.4](v7.0.3...v7.0.4) (2021-12-27)

### Bug Fixes

* **addon:** Fix typo in transform.conf ([#227](#227))
* **app:** Fix panContentPack error. Fixes bug [#222](#222) - #225
@github-actions
Copy link

🎉 This issue has been resolved in version 7.0.4 🎉

This release is available on SplunkBase: App - Add-on

Posted by semantic-release bot

github-actions bot pushed a commit to btorresgil/SplunkforPaloAltoNetworks that referenced this issue Mar 7, 2022
@semantic-release-bot
chore(release): 5.0.0-beta.1
238b9d8 
## [5.0.0-beta.1](v4.2.2...v5.0.0-beta.1) (2022-03-07)

### Features

* **addon:** Add Decryption Log Support for PANOS 10  - PaloAltoNetworks#126
* **addon:** Cortex Data Lake HEC log support - PaloAltoNetworks#162 PaloAltoNetworks#176
* **addon:** PAN Quality Validation and Improvement
* **addon:** Significantly improve and modernize CIM compliance
* **app/addon:** Add Cortex XDR incident support to App and Add-on including new XDR Incidents dashboard - PaloAltoNetworks#166
* **app/addon:** Add IoT Security - PaloAltoNetworks#158
* **app/addon:** Feature/dynamic user groups - PaloAltoNetworks#150
* **app/addon:** Python 3 Support - PaloAltoNetworks#124
* **app/addon:** Support GlobalProtect log type in PANOS 9.1 - PaloAltoNetworks#118
* **app/addon:** Update pandevice to 0.14.0 - PaloAltoNetworks#145

### Bug Fixes

* **addon:** Add fields for GlobalProtect logs
* **addon:** Add fields for GlobalProtect logs
* **addon:** Add GlobalProtect SourceUserName - PaloAltoNetworks#209 PaloAltoNetworks#202
* **addon:** Add modinputs as tasks in app.manifest - PaloAltoNetworks#153
* **addon:** Add virus eventtype to malware CIM - PaloAltoNetworks#114 PaloAltoNetworks#138
* **addon:** Fix appserver/static files
* **addon:** Fix CDL logs contained string 'null' in 'user' field - PaloAltoNetworks#187
* **addon:** Fix error from Minemeld automatic lookup
* **addon:** Fix GlobalProtect logs dvc_name field
* **addon:** Fix GlobalProtect logs dvc_name field
* **addon:** Fix nav bar background color
* **addon:** Fix src_user field contained destination user - PaloAltoNetworks#186
* **addon:** Fix typo in transform.conf ([PaloAltoNetworks#227](https://github.com/btorresgil/SplunkforPaloAltoNetworks/issues/227))
* **addon:** Fix user showing as unknown from GlobalProtect logs.  - PaloAltoNetworks#217
* **addon:** Parse GP and Decryption logs w/ pan:firewall - PaloAltoNetworks#168
* **addon:** Parse GP and Decryption logs w/ pan:firewall - PaloAltoNetworks#168
* **addon:** Remove endpoint tags and eventtypes - PaloAltoNetworks#196
* **addon:** Remove port from `dest_name` field - PaloAltoNetworks#129 PaloAltoNetworks#128
* **addon:** Remove white space from GlobalProtect sourcetype - PaloAltoNetworks#131
* **addon:** Restore "unknown" string for empty 'user' field
* **app:** Fix error after upgrade to 7.0.0: "Unknown search command 'panwildfirereport'" - PaloAltoNetworks#189
* **app:** Fix IoT Security dashboard filter - PaloAltoNetworks#181
* **app:** Fix panContentPack error. Fixes bug [PaloAltoNetworks#222](https://github.com/btorresgil/SplunkforPaloAltoNetworks/issues/222) - PaloAltoNetworks#225
* **app:** Incident counters flash in Splunk 8.1 - PaloAltoNetworks#163
* **app:** Incident counters flash in Splunk 8.1 - PaloAltoNetworks#163
* **app:** Remove endpoint from Data Model Audit dashboard - PaloAltoNetworks#218
* **app/addon:** correct user-id tag_user / untag_user
* **app/addon:** Fix background color of logo - PaloAltoNetworks#141

### Performance Improvements

* **app:** Change simple XML to use JQuery 3.5 - PaloAltoNetworks#207
* **app:** Remove high cardinality fields from datamodel

### ⚠ MAJOR RELEASE CHANGES

This is a major release

Splunk dashboards and searches you have created might be
affected by these changes. Please be prepared to test and
adjust any dashboards not included with the App after upgrade.

* **addon:** pan_traffic_start logs no longer included in CIM
* **addon:** pan_traffic_end logs moved from Network Session to Network Traffic datamodel
* **addon:** pan_threat event type now includes wildfire and data logs
* **addon:** pan_file logs moved from Web to IDS datamodel
* **addon:** pan_virus logs moved from Malware to IDS datamodel
* **addon:** pan_wildfire logs moved from Malware to IDS datamodel
* **addon:** pan_email removed from Email datamodel
* **app:** Removes datamodel for GlobalProtect logs before PAN-OS 9.1
* **app/addon:** Removes Traps 4 support
* **app/addon:** Deprecates Traps 5 and Traps 6 support
* **app:** Removes support for legacy WildFire Report API
* **app/addon:** Requires Splunk 8.0 or higher
* **app/addon:** Replaces Adversary Scoreboard and Incident Feed dashboards with new XDR Incidents dashboard
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulmnguyen paulmnguyen

Labels
bug released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(app): Fix panContentPack error. Fixes #222 PaloAltoNetworks/Splunk-Apps
2 participants
@paulmnguyen @bvarni