Why is the XML not being parsed correctly in Nextc...

ggudgin · ‎04-02-2018

I have installed the Nextcloud TA and application on Splunk 7.0.2 ( a second fresh install to be sure) and am having problems with the nextcloud-serverinfo script and the information in the index. The Server status scripts works fine and the JSON information returned is interpreted correctly. Serverinfo however is in XML and does not look to be working correctly. I am using the defaults as per the installation instructions.

Running the script from the shell, curl provides the following response:

<?xml version="1.0"?>
<ocs>
<meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
</meta>
<data>
  <nextcloud>
   <system>
    <version>13.0.1.1</version>
    <theme>none</theme>
    <enable_avatars>yes</enable_avatars>
    <enable_previews>yes</enable_previews>
    <memcache.local>\OC\Memcache\Redis</memcache.local>
    <memcache.distributed>\OC\Memcache\Redis</memcache.distributed>
    <filelocking.enabled>yes</filelocking.enabled>
    <memcache.locking>\OC\Memcache\Redis</memcache.locking>
    <debug>no</debug>
    <freespace>193281241088</freespace>
    <cpuload>
     <element>0</element>
     <element>0.01</element>
     <element>0</element>
    </cpuload>
    <mem_total>4046316</mem_total>
    <mem_free>3228028</mem_free>
    <swap_total>999420</swap_total>
    <swap_free>998896</swap_free>
   </system>
   <storage>
    <num_users>2</num_users>
    <num_files>12180</num_files>
    <num_storages>3</num_storages>
    <num_storages_local>1</num_storages_local>
    <num_storages_home>2</num_storages_home>
    <num_storages_other>0</num_storages_other>
   </storage>
   <shares>
    <num_shares>0</num_shares>
    <num_shares_user>0</num_shares_user>
    <num_shares_groups>0</num_shares_groups>
    <num_shares_link>0</num_shares_link>
    <num_shares_link_no_password>0</num_shares_link_no_password>
    <num_fed_shares_sent>0</num_fed_shares_sent>
    <num_fed_shares_received>0</num_fed_shares_received>
   </shares>
  </nextcloud>
  <server>
   <webserver>Apache/2.4.18 (Ubuntu)</webserver>
   <php>
    <version>7.0.28</version>
    <memory_limit>536870912</memory_limit>
    <max_execution_time>3600</max_execution_time>
    <upload_max_filesize>1048576000</upload_max_filesize>
   </php>
   <database>
    <type>mysql</type>
    <version>10.2.13</version>
    <size>5406720</size>
   </database>
  </server>
  <activeUsers>
   <last5minutes>1</last5minutes>
   <last1hour>1</last1hour>
   <last24hours>2</last24hours>
  </activeUsers>
</data>
</ocs>

This results in just over 60 events being indexed as per this screenshot: -

The Nextcloud dashboard is trying to display ocs.data.nextcloud.storage.num_users and finds nothing, however a field num_users exists.
Props.conf has the following default configuration: -

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false

Everything is telling me the xml is not being parsed correctly, due to multiple events, but am unsure what to try.
Any clues, or does someone have this working with Nextcloud 13, Splunk 7.0.2 and teh Nextcloud app? If so, what does the event look like after the scripts runs?

ggudgin · ‎04-11-2018

For those that install this and run into the same problem, I added the following SHOULD_LINEMERGE to the props.conf and that seems to have resolved the xml being broken down into 60+ events. It now stays as a single XML event and the dashboard displays correctly the information.

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false
SHOULD_LINEMERGE = TRUE

Why is the XML not being parsed correctly in Nextcloud ServerInfo Dashboard?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)