Dashboards & Visualizations

Why is the XML not being parsed correctly in Nextcloud ServerInfo Dashboard?

ggudgin
Explorer

I have installed the Nextcloud TA and application on Splunk 7.0.2 ( a second fresh install to be sure) and am having problems with the nextcloud-serverinfo script and the information in the index. The Server status scripts works fine and the JSON information returned is interpreted correctly. Serverinfo however is in XML and does not look to be working correctly. I am using the defaults as per the installation instructions.

Running the script from the shell, curl provides the following response:

<?xml version="1.0"?>
<ocs>
<meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
</meta>
<data>
  <nextcloud>
   <system>
    <version>13.0.1.1</version>
    <theme>none</theme>
    <enable_avatars>yes</enable_avatars>
    <enable_previews>yes</enable_previews>
    <memcache.local>\OC\Memcache\Redis</memcache.local>
    <memcache.distributed>\OC\Memcache\Redis</memcache.distributed>
    <filelocking.enabled>yes</filelocking.enabled>
    <memcache.locking>\OC\Memcache\Redis</memcache.locking>
    <debug>no</debug>
    <freespace>193281241088</freespace>
    <cpuload>
     <element>0</element>
     <element>0.01</element>
     <element>0</element>
    </cpuload>
    <mem_total>4046316</mem_total>
    <mem_free>3228028</mem_free>
    <swap_total>999420</swap_total>
    <swap_free>998896</swap_free>
   </system>
   <storage>
    <num_users>2</num_users>
    <num_files>12180</num_files>
    <num_storages>3</num_storages>
    <num_storages_local>1</num_storages_local>
    <num_storages_home>2</num_storages_home>
    <num_storages_other>0</num_storages_other>
   </storage>
   <shares>
    <num_shares>0</num_shares>
    <num_shares_user>0</num_shares_user>
    <num_shares_groups>0</num_shares_groups>
    <num_shares_link>0</num_shares_link>
    <num_shares_link_no_password>0</num_shares_link_no_password>
    <num_fed_shares_sent>0</num_fed_shares_sent>
    <num_fed_shares_received>0</num_fed_shares_received>
   </shares>
  </nextcloud>
  <server>
   <webserver>Apache/2.4.18 (Ubuntu)</webserver>
   <php>
    <version>7.0.28</version>
    <memory_limit>536870912</memory_limit>
    <max_execution_time>3600</max_execution_time>
    <upload_max_filesize>1048576000</upload_max_filesize>
   </php>
   <database>
    <type>mysql</type>
    <version>10.2.13</version>
    <size>5406720</size>
   </database>
  </server>
  <activeUsers>
   <last5minutes>1</last5minutes>
   <last1hour>1</last1hour>
   <last24hours>2</last24hours>
  </activeUsers>
</data>
</ocs>

This results in just over 60 events being indexed as per this screenshot: -

alt text

The Nextcloud dashboard is trying to display ocs.data.nextcloud.storage.num_users and finds nothing, however a field num_users exists.
Props.conf has the following default configuration: -

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false

Everything is telling me the xml is not being parsed correctly, due to multiple events, but am unsure what to try.
Any clues, or does someone have this working with Nextcloud 13, Splunk 7.0.2 and teh Nextcloud app? If so, what does the event look like after the scripts runs?

0 Karma

ggudgin
Explorer

For those that install this and run into the same problem, I added the following SHOULD_LINEMERGE to the props.conf and that seems to have resolved the xml being broken down into 60+ events. It now stays as a single XML event and the dashboard displays correctly the information.

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false
SHOULD_LINEMERGE = TRUE
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...