Splunk Enterprise Security: Streaming XML data tag...

tjgamez · ‎02-28-2019

Hi all,

I am new to Splunk and am still trying to figure out everything one step at a time. I have an issue where the streaming XML data is expecting a tag and is instead receiving something else. The warning that shows up in splunkd.log is the following:

WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "error".

Is anyone familiar with this issue? And if so, where do I even start to troubleshoot it? I don't know what file to go to check the tags or the error.

Any help would be gladly appreciated. Thanks in advance!

jbrocks · ‎03-04-2019

I guess you installed the Splunk CIM Addon? In this case, about all Events containing the word "error" or similar words will get the tag "error". This is defined by a serach in the eventtypes.conf of the Splunk CIM AddOn:

[err0r]
search = NOT sourcetype=stash (error OR failure OR fail OR failed OR fatal) NOT "not an error"
#tag   = error

and tags.conf:

## error
[eventtype=err0r]
error = enabled

tjgamez · ‎05-06-2019

Sorry for the late reply, so the way to fix it would be by disabling the error tag?

markhill1 · ‎05-23-2019

I wouldnt disable the tag, you may prevent results appearing from important queries.

Splunk Enterprise Security: Streaming XML data tag "error"

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...