We are using the Palo Alto TA and pushing the default app to our search head cluster. In props.conf there is an automatic lookup which references a KV store that is empty, causing errors when searching that data source on the search heads:
**LOOKUP-minemeldfeeds_src_lookup = minemeldfeeds_lookup indicator AS src_ip OUTPUT value.autofocus_tags AS src_autofocus_tags**
I've tried creating the same stanza in local/props.conf on the deployer without specifying the lookup but that just brings additional errors:
**LOOKUP-minemeldfeeds_src_lookup =**
We don't plan on using the minemeldfeeds so I don't see a need for this automatic lookup. Other than remarking the line in default, how would we disable a default setting in an app on the search heads?
↧