https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486844#M83361 <P><CODE>NOT</CODE> is search first, and then, exclude.<BR /> you should search specifically.</P> Thu, 12 Mar 2020 09:43:32 GMT to4kawa 2020-03-12T09:43:32Z https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486843#M83360 <P>Using Java API and requesting a streaming export from Splunk a search like this:</P> <PRE><CODE>search index="client_ndx" sourcetype="client_source" (field1 = "*" ) | regex field1 != "val1|val2|val3" | fields field1, field2,field3,field4 , _time|fields - _raw </CODE></PRE> <P>(NOTE: ending with "|fields - _raw") returns the labeled fields, but ending it without that exclusion fails with the following error:</P> <PRE><CODE>java.lang.RuntimeException: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[124683119,213] Message: JAXP00010004: The accumulated size of entities is "50,000,001" that exceeded the "50,000,000" limit set by "FEATURE_SECURE_PROCESSING". at com.splunk.ResultsReaderXml.getNextEventInCurrentSet(ResultsReaderXml.java:128) at com.splunk.ResultsReader.getNextElement(ResultsReader.java:87) at com.splunk.ResultsReader.getNextElement(ResultsReader.java:29) at com.splunk.StreamIterableBase.cacheNextElement(StreamIterableBase.java:87) at com.splunk.StreamIterableBase.access$000(StreamIterableBase.java:28) at com.splunk.StreamIterableBase$1.hasNext(StreamIterableBase.java:37) at com.insightrocket.summaryloaders.splunk.SplunkParser.run(SplunkParser.java:112) at java.lang.Thread.run(Thread.java:745) Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[124683119,213] Message: JAXP00010004: The accumulated size of entities is "50,000,001" that exceeded the "50,000,000" limit set by "FEATURE_SECURE_PROCESSING". at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.next(XMLStreamReaderImpl.java:596) at com.sun.xml.internal.stream.XMLEventReaderImpl.nextEvent(XMLEventReaderImpl.java:83) at com.splunk.ResultsReaderXml.readSubtree(ResultsReaderXml.java:423) at com.splunk.ResultsReaderXml.getResultKVPairs(ResultsReaderXml.java:325) at com.splunk.ResultsReaderXml.getNextEventInCurrentSet(ResultsReaderXml.java:124) ... 7 more </CODE></PRE> <P>I specifically used the system.export to get a stream and bypass the maximum record count, but a change in the system now requires the use of the _raw field</P> Fri, 06 Mar 2020 20:57:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486843#M83360 dsmith14 2020-03-06T20:57:50Z https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486844#M83361 <P><CODE>NOT</CODE> is search first, and then, exclude.<BR /> you should search specifically.</P> Thu, 12 Mar 2020 09:43:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486844#M83361 to4kawa 2020-03-12T09:43:32Z https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486845#M83362 <P>That does not appear relevant to the issue, and since the range of values in that field is much larger (and changing) than the ones that need to be excluded, I don't think a specific search is suitable in this case</P> Thu, 12 Mar 2020 11:42:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-service-export-REST-API-fail-when-raw-is-not-excluded/m-p/486845#M83362 dsmith14 2020-03-12T11:42:17Z