Developing for Splunk Enterprise
Highlighted

Splunklib (python)/API issues after update to 7.2.0: "ParseError: mismatched tag: line 10625, column 2".

Engager

Hello,

I have been running some scripts using splunklib for the past year or so without any issues. I recently updated our indexers to 7.2.0 and am now receiving the occasional errors. The below issues happens every once in a while in about 5 scripts, and every time in another.

Here is a the traceback:

Error on REDACTED:
Traceback (most recent call last):
File "REDACTED.py", line 152, in 
message += REDACTED.REDACTED(REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 93, in REDACTED
REDACTED = REDACTED(REDACTED,REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 43, in REDACTED
for result in results:
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 205, in next
return self.gen.next()
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 212, in _parseresults
for event, elem in et.iterparse(stream, events=('start', 'end')):
File "", line 91, in next
ParseError: mismatched tag: line 10625, column 2

I am not sure what the issue is here. To debug a bit easier, I took the exact code that made searches and put it in its own file. After running it the first time, it iterated over about half of the results in the search and failed with the above error. The remaining times it has worked fine. This same issue happens in several scripts that seem to have no correlation with each other.

To make it more clear, here is example source:

import splunklib.results as results
import splunklib.client as client

def executesearch(searchstring, service):
kwargsexport = {"earliesttime": "-7d", "latesttime": "now", "searchmode": "normal"}
exportsearchresults = service.jobs.export(searchString, **kwargsexport)
return results.ResultsReader(exportsearch_results)

token = client.connect( host='splunkserver', port= 8089, username='user', password='pass')
results = executesearch("search index=example", token)

Here is where it fails during iteration:

for result in results:
print result

I would appreciate any insight anyone can provide.

Thanks!

Labels (1)
Tags (2)
Highlighted

Re: splunklib (python)/api issues after update to 7.2.0: "ParseError: mismatched tag: line 10625, column 2"

Splunk Employee
Splunk Employee

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargsexport add "outputmode":"csv" .

kwargsexport = {"earliesttime": "-7d", "latesttime": "now", "searchmode": "normal", "output_mode": "csv" }

View solution in original post