Splunk Dev

Splunklib (python)/API issues after update to 7.2.0: "ParseError: mismatched tag: line 10625, column 2".

dan_ritter
Engager

Hello,

I have been running some scripts using splunklib for the past year or so without any issues. I recently updated our indexers to 7.2.0 and am now receiving the occasional errors. The below issues happens every once in a while in about 5 scripts, and every time in another.

Here is a the traceback:

Error on REDACTED:
Traceback (most recent call last):
File "REDACTED.py", line 152, in
message += REDACTED.REDACTED(REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 93, in REDACTED
REDACTED = REDACTED(REDACTED,REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 43, in REDACTED
for result in results:
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 205, in next
return self._gen.next()
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 212, in _parse_results
for event, elem in et.iterparse(stream, events=('start', 'end')):
File "", line 91, in next
ParseError: mismatched tag: line 10625, column 2

I am not sure what the issue is here. To debug a bit easier, I took the exact code that made searches and put it in its own file. After running it the first time, it iterated over about half of the results in the search and failed with the above error. The remaining times it has worked fine. This same issue happens in several scripts that seem to have no correlation with each other.

To make it more clear, here is example source:

import splunklib.results as results
import splunklib.client as client

def execute_search(search_string, service):
kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal"}
exportsearch_results = service.jobs.export(searchString, **kwargs_export)
return results.ResultsReader(exportsearch_results)

token = client.connect( host='splunk_server', port= 8089, username='user', password='pass')
results = execute_search("search index=example", token)

Here is where it fails during iteration:

for result in results:
print result

I would appreciate any insight anyone can provide.

Thanks!

Labels (1)
Tags (2)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...