Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Streaming XML data tag "error"

tjgamez
New Member
‎02-28-2019 11:50 AM

Hi all,

I am new to Splunk and am still trying to figure out everything one step at a time. I have an issue where the streaming XML data is expecting a tag and is instead receiving something else. The warning that shows up in splunkd.log is the following:

WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "error".

Is anyone familiar with this issue? And if so, where do I even start to troubleshoot it? I don't know what file to go to check the tags or the error.

Any help would be gladly appreciated. Thanks in advance!

0 Karma
Reply

jbrocks
Communicator
‎03-04-2019 01:40 PM

I guess you installed the Splunk CIM Addon? In this case, about all Events containing the word "error" or similar words will get the tag "error". This is defined by a serach in the eventtypes.conf of the Splunk CIM AddOn:

[err0r]
search = NOT sourcetype=stash (error OR failure OR fail OR failed OR fatal) NOT "not an error"
#tag   = error

and tags.conf:

## error
[eventtype=err0r]
error = enabled
0 Karma
Reply

tjgamez
New Member
‎05-06-2019 02:12 PM

Sorry for the late reply, so the way to fix it would be by disabling the error tag?

0 Karma
Reply

markhill1
Path Finder
‎05-23-2019 10:23 PM

I wouldnt disable the tag, you may prevent results appearing from important queries.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...