I just installed the Syndication Input add-on on my stand-alone search head and configured the answers.splunk.com/feed/questions.rss input as shown in the example. No data is showing in the dedicated index and running index=_internal sourcetype="syndication_modular_input"
shows multiple records with this message:
"INFO Successfully retrieved feed entries, count=0, url=https://answers.splunk.com/feed/questions.rss"
So it says everything is fine, but there is nothing there. I tried both with and without credentials. Inputs.conf stanza in the search app looks like:
[syndication://Splunk Answers]
host = answers.splunk.com
include_only_changed = 1
index = training
interval = 1m
sourcetype = SplunkTraining-Answers
url = https://answers.splunk.com/feed/questions.rss
It seems like a bug. I have reproduced it locally and am looking fixing it. See http://lukemurphey.net/issues/1134 for details.
I'll post an update here once I find a solution,
i am not getting updates from rss to my splunk instance can u suggest me whole procedure?
Thank you.
I found that while my server has internet connectivity, when I try to open the RSS directly in the browser it reports that security settings prevent downloading the file. I am working on a solution. I am not sure that corporate policy will allow me to change the security settings.
I tried reproducing this on Windows + Splunk 6.2. Still works fine for me. I posted a build that will output a lot more details to the internal log. Would you be willing to run that one? That version will output details on why it is ignoring each RSS entry (do a search for "index=_internal sourcetype=syndication_modular_input").
@Luke i aslo used new build posted by you above but same result
log-
2016-02-18 12:37:36,167 INFO Successfully retrieved feed entries, count=0, url=http://tif.mcafee.com/threats.rss
@tp92222: also, you may try creating another identical input but disabling the option to only include changed entries.
@tp92222: that build doesn't include any fixes. Instead, it includes more instrumentation that may help me detect the issue. What do you see when you search for the following:
index=_internal sourcetype="syndication_modular_input" | rex field=_raw "(?<action>((Skipping)|(Including)))" | search count>0 OR action=Including | table date latest_date title action count
i reinstall splunk but this time 6.3 ver .now i am able to see feeds .thank you all for help
config -windows 7 + splunk 6.2
let me know if i miss anything
-installed Syndication Input (RSS/ATOM/RDF) add-on
-enabled app from manage app
-config input with settings shown in below pic
https://www.dropbox.com/s/xw18mz93kplaa6r/syn.png?dl=0
i search for "index=_internal sourcetype=syndication_modular_input"
got log as below
2016-02-17 13:37:52,151 INFO Successfully retrieved feed entries, count=0, url=http://tif.mcafee.com/threats.rss
I will do it next week. Thanks.
Distributed on-prem installation of 6.2 on Windows Server 2012. 5 indexers and 1 search head in 2 US data centers.
I tried to reproduce this but it has been working fine for me once I created the "training" index.
@timpacl, @tp92222: Could both of you provide some information about your Splunk environments (platform, version of Splunk, etc.)? I cannot reproduce this and I'm trying to figure out what is different on my environment than yours.
i am facing same problem..please give us update
thank you!!!!
Any Update LukeMurphey?