Getting Data In

Why doesn't my REST query to /services/authentication/users work anymore all of a sudden?

JuGuSm
Path Finder

Hi,

I use this query almost every day :

| rest /services/authentication/users

But today it doesn't work, I get this error message :

Failed to parse XML Body:<?xml version="1.0" encoding="UTF-8"?> <!--This is to override b...

And I don't have the end of this message.

Other rest commands work fine.

Tags (2)
1 Solution

scorrie_splunk
Splunk Employee
Splunk Employee

I just had a case with the exact error. It turned out to be related to Splunk's inability to process the data due to some issue in the data.

In the case I worked on, there were base64 VALUES that had a hidden character at the beginning.

I am aware of one other case, which had unusual (not UTF-8) characters in the data.

Solution:
Fix your data. Examine it with a programming Tool (I use MacVIM, and GVIM). You may not see the problem when just looking at the logs.

If you can't fix your data prior to ingestion, what you can do is go into the search.log, determine which search (or source) is generating the problem and disable it. I realize this is a temporary solution, but it is a workaround until you can clean up your data.

I was not able to find any "Splunk Bugs" on this particular issue, possibly because it falls more under "quality of incoming data".

View solution in original post

haraksin
Path Finder

If anyone is coming across this in 2022, you should know that there's a pretty easy workaround for this nowadays. The issue is with XML parsing, but Splunk allows you to output the results in JSON format with a simple change to your rest query. Instead of my query for lookup transforms:

| rest /servicesNS/nobody/app/data/transforms/lookups  splunk_server=local

You just add the output_mode=json GET argument to it, like so:

| rest /servicesNS/nobody/app/data/transforms/lookups output_mode=json splunk_server=local

This resolved this issue for me immediately.

Tags (4)
0 Karma

scorrie_splunk
Splunk Employee
Splunk Employee

I just had a case with the exact error. It turned out to be related to Splunk's inability to process the data due to some issue in the data.

In the case I worked on, there were base64 VALUES that had a hidden character at the beginning.

I am aware of one other case, which had unusual (not UTF-8) characters in the data.

Solution:
Fix your data. Examine it with a programming Tool (I use MacVIM, and GVIM). You may not see the problem when just looking at the logs.

If you can't fix your data prior to ingestion, what you can do is go into the search.log, determine which search (or source) is generating the problem and disable it. I realize this is a temporary solution, but it is a workaround until you can clean up your data.

I was not able to find any "Splunk Bugs" on this particular issue, possibly because it falls more under "quality of incoming data".

JuGuSm
Path Finder

My problem has been resolved a few months ago and it was exactly what you described.

0 Karma

effem
Communicator

Hey guys,

how have you been able to fix this?

I have the same issue with
| rest splunk_server=local /services/search/jobs

Can't find a safe way to find the malicious characters, although splunk is stating its this:
Entity: line 305799: parser: Input is not proper UTF-8, indicate encoding !\nBytes: 0xC3 0x20 0x2E 0x2E

0 Karma

mbrettschneider
Engager

Same problem for me with
| REST /services/data/lookup-table-files

 | rest /services/authentication/users

works for me.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...