Dashboards & Visualizations

Why is the XML not being parsed correctly in Nextcloud ServerInfo Dashboard?

ggudgin
Explorer

I have installed the Nextcloud TA and application on Splunk 7.0.2 ( a second fresh install to be sure) and am having problems with the nextcloud-serverinfo script and the information in the index. The Server status scripts works fine and the JSON information returned is interpreted correctly. Serverinfo however is in XML and does not look to be working correctly. I am using the defaults as per the installation instructions.

Running the script from the shell, curl provides the following response:

<?xml version="1.0"?>
<ocs>
<meta>
  <status>ok</status>
  <statuscode>200</statuscode>
  <message>OK</message>
</meta>
<data>
  <nextcloud>
   <system>
    <version>13.0.1.1</version>
    <theme>none</theme>
    <enable_avatars>yes</enable_avatars>
    <enable_previews>yes</enable_previews>
    <memcache.local>\OC\Memcache\Redis</memcache.local>
    <memcache.distributed>\OC\Memcache\Redis</memcache.distributed>
    <filelocking.enabled>yes</filelocking.enabled>
    <memcache.locking>\OC\Memcache\Redis</memcache.locking>
    <debug>no</debug>
    <freespace>193281241088</freespace>
    <cpuload>
     <element>0</element>
     <element>0.01</element>
     <element>0</element>
    </cpuload>
    <mem_total>4046316</mem_total>
    <mem_free>3228028</mem_free>
    <swap_total>999420</swap_total>
    <swap_free>998896</swap_free>
   </system>
   <storage>
    <num_users>2</num_users>
    <num_files>12180</num_files>
    <num_storages>3</num_storages>
    <num_storages_local>1</num_storages_local>
    <num_storages_home>2</num_storages_home>
    <num_storages_other>0</num_storages_other>
   </storage>
   <shares>
    <num_shares>0</num_shares>
    <num_shares_user>0</num_shares_user>
    <num_shares_groups>0</num_shares_groups>
    <num_shares_link>0</num_shares_link>
    <num_shares_link_no_password>0</num_shares_link_no_password>
    <num_fed_shares_sent>0</num_fed_shares_sent>
    <num_fed_shares_received>0</num_fed_shares_received>
   </shares>
  </nextcloud>
  <server>
   <webserver>Apache/2.4.18 (Ubuntu)</webserver>
   <php>
    <version>7.0.28</version>
    <memory_limit>536870912</memory_limit>
    <max_execution_time>3600</max_execution_time>
    <upload_max_filesize>1048576000</upload_max_filesize>
   </php>
   <database>
    <type>mysql</type>
    <version>10.2.13</version>
    <size>5406720</size>
   </database>
  </server>
  <activeUsers>
   <last5minutes>1</last5minutes>
   <last1hour>1</last1hour>
   <last24hours>2</last24hours>
  </activeUsers>
</data>
</ocs>

This results in just over 60 events being indexed as per this screenshot: -

alt text

The Nextcloud dashboard is trying to display ocs.data.nextcloud.storage.num_users and finds nothing, however a field num_users exists.
Props.conf has the following default configuration: -

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false

Everything is telling me the xml is not being parsed correctly, due to multiple events, but am unsure what to try.
Any clues, or does someone have this working with Nextcloud 13, Splunk 7.0.2 and teh Nextcloud app? If so, what does the event look like after the scripts runs?

0 Karma

ggudgin
Explorer

For those that install this and run into the same problem, I added the following SHOULD_LINEMERGE to the props.conf and that seems to have resolved the xml being broken down into 60+ events. It now stays as a single XML event and the dashboard displays correctly the information.

[nextcloud-serverinfo]
KV_MODE = xml
ANNOTATE_PUNCT = false
SHOULD_LINEMERGE = TRUE
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...