Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunklib (python)/API issues after update to 7.2.0: "ParseError: mismatched tag: line 10625, column 2".

dan_ritter
Engager
‎10-30-2018 01:16 PM

Hello,

I have been running some scripts using splunklib for the past year or so without any issues. I recently updated our indexers to 7.2.0 and am now receiving the occasional errors. The below issues happens every once in a while in about 5 scripts, and every time in another.

Here is a the traceback:

Error on REDACTED:
Traceback (most recent call last):
File "REDACTED.py", line 152, in
message += REDACTED.REDACTED(REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 93, in REDACTED
REDACTED = REDACTED(REDACTED,REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 43, in REDACTED
for result in results:
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 205, in next
return self._gen.next()
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 212, in _parse_results
for event, elem in et.iterparse(stream, events=('start', 'end')):
File "", line 91, in next
ParseError: mismatched tag: line 10625, column 2

I am not sure what the issue is here. To debug a bit easier, I took the exact code that made searches and put it in its own file. After running it the first time, it iterated over about half of the results in the search and failed with the above error. The remaining times it has worked fine. This same issue happens in several scripts that seem to have no correlation with each other.

To make it more clear, here is example source:

import splunklib.results as results
import splunklib.client as client

def execute_search(search_string, service):
kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal"}
exportsearch_results = service.jobs.export(searchString, **kwargs_export)
return results.ResultsReader(exportsearch_results)

token = client.connect( host='splunk_server', port= 8089, username='user', password='pass')
results = execute_search("search index=example", token)

Here is where it fails during iteration:

for result in results:
print result

I would appreciate any insight anyone can provide.

Thanks!

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-12-2019 04:04 PM

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

View solution in original post

Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-12-2019 04:04 PM

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...