09-26-2025 05:03 AM
I have a problem with the incoming mirroring, the comments have not been synced back to XSOAR when using Splunk ES8.
As a result I upgraded the splunk content pack to 3.3, but now the entire mirroring is broken. No updates are synced back to XSOAR (Version 6.14.0 Build 3036535).
I noticed the developer tools are listed as mandatory but they are not included in the splunk pack, so I uploaded them manually. Unfortunately this did not resolve the issue.
This is what I see in the integration logs:
2025-09-26 11:45:15.8049 debug (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) mirror-in: performing `incident_review` search with query: |`incident_review` | eval last_modified_timestamp=_time | where last_modified_timestamp>1758876792.000754 | fields - _time,time | expandtoken. (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:985)
2025-09-26 11:45:18.0817 debug (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) Setting integration context (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:985)
2025-09-26 11:45:18.0821 debug (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) Updating integration context with version -1. Sync: True (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:985)
2025-09-26 11:45:19.4997 debug (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) Found Splunk ES version: 8.2.0 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:985)
2025-09-26 11:45:20.3990 debug (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) get_comments_data_new: mc_notes query completed in 0.897 sec for 2 notables and 2 notes (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:985)
2025-09-26 11:45:20.4016 info (SplunkPy_demosa_splunkcloud_instance_1_SplunkPy_get-modified-remote-data) Full Integration Log:
An error occurred during the Mirror In - in get_modified_remote_data_command: argument of type 'NoneType' is not iterable
Traceback (most recent call last):
File "<SplunkPy>", line 4029, in main
File "<SplunkPy>", line 2046, in get_modified_remote_data_command
File "<SplunkPy>", line 1852, in get_comments_data_new
File "<SplunkPy>", line 1733, in format_splunk_note_for_xsoar
File "/usr/local/lib/python3.12/urllib/parse.py", line 704, in unquote
if '%' not in string:
^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable
(source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:981)
Any assistance is appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
