Re: Splunk App for Microsoft SharePoint: Why am I ...

kobayashikenji · ‎03-18-2015

The following error is displayed at startup.
How can I support?

Splunk> Be an IT superhero. Go home early.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
 not well-formed (invalid token): line 39, column 62


There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:

kenji

arber · ‎10-30-2015

Thats an XML issue, you should substitute Event with EventType and not do

 Event< 14

but

> (EventType==1 OR EventType==2 OR
> EventType==3 OR EventType==4 OR
> EventType==5 OREventType==6 OR
> EventType==7 OR EventType==8 OR
> EventType==9 OR EventType==10 OR
> EventType==11 OR EventType==11 OR 
> EventType==12 OR EventType==13 )

That should fix the issue. The alternative is to use CDATA to bypass xml errors.

This is the way i went around it and it works fine.

juvetm · ‎03-18-2015

Hi kenji
it seems as if you are having a problem with your token that you just define in the /opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml'
what i will like you to do is to check the token that you just define in usage_sites.xml because look the message carefully it say that

 Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
  not well-formed (invalid token): line 39, column 62

let take a look at the last message there was problems with the configuration file so please check the token at the usage_sites.xml' in the file that is the problem

 There were problems with the configuration files.
 Would you like to ignore these errors? [y/n]:

please try to check the token that you define if you can not do it very well please paste the code on answer i think i may help you to resolve this problem
thanks

juvetm · ‎03-23-2015

Hi kenji
actually the first problem is that you are having problem with your search request you need to add .csv this is the right search request

 36 | inputlookup SPSite.csv
   37 | table Id,Url
   38 | rename Id as SiteId
   39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
   40 | where isnull(count)
   41 | table SiteId,Url

secondly another problem that you said that you not can see the SPSite csv because you have not define the right directory this is the right want

$SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups

kobayashikenji · ‎03-22-2015

Thank you for your reply.

I investigated to line 39 , column 62 in following file.

/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml

  36 | inputlookup SPSite
  37 | table Id,Url
  38 | rename Id as SiteId
  39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
  40 | where isnull(count)
  41 | table SiteId,Url

Actually, I could not find a "SPSite" csv file in SharePoint Apps directory.
I guess does not define "SPSite" look up table in SharePonit Apss.

How can I fix this problem?

Thanks,
Kenz

Splunk App for Microsoft SharePoint: Why am I getting "Error while parsing '.../views/usage_sites.xml': not well-formed (invalid token)" at Splunk startup?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation