I just installed the Syndication Input add-on on my stand-alone search head and configured the answers.splunk.com/feed/questions.rss input as shown in the example. No data is showing in the dedicated index and running
index=_internal sourcetype="syndication_modular_input" shows multiple records with this message:
"INFO Successfully retrieved feed entries, count=0, url=https://answers.splunk.com/feed/questions.rss"
So it says everything is fine, but there is nothing there. I tried both with and without credentials. Inputs.conf stanza in the search app looks like:
[syndication://Splunk Answers] host = answers.splunk.com include_only_changed = 1 index = training interval = 1m sourcetype = SplunkTraining-Answers url = https://answers.splunk.com/feed/questions.rss
I found that while my server has internet connectivity, when I try to open the RSS directly in the browser it reports that security settings prevent downloading the file. I am working on a solution. I am not sure that corporate policy will allow me to change the security settings.
I tried reproducing this on Windows + Splunk 6.2. Still works fine for me. I posted a build that will output a lot more details to the internal log. Would you be willing to run that one? That version will output details on why it is ignoring each RSS entry (do a search for "index=_internal sourcetype=syndication_modular_input").
@tp92222: that build doesn't include any fixes. Instead, it includes more instrumentation that may help me detect the issue. What do you see when you search for the following:
index=_internal sourcetype="syndication_modular_input" | rex field=_raw "(?<action>((Skipping)|(Including)))" | search count>0 OR action=Including | table date latest_date title action count
config -windows 7 + splunk 6.2
let me know if i miss anything
-installed Syndication Input (RSS/ATOM/RDF) add-on
-enabled app from manage app
-config input with settings shown in below pic
i search for "index=_internal sourcetype=syndication_modular_input"
got log as below
2016-02-17 13:37:52,151 INFO Successfully retrieved feed entries, count=0, url=http://tif.mcafee.com/threats.rss
@timpacl, @tp92222: Could both of you provide some information about your Splunk environments (platform, version of Splunk, etc.)? I cannot reproduce this and I'm trying to figure out what is different on my environment than yours.