Splunk Enterprise Security

Splunk Enterprise Security: Streaming XML data tag "error"

New Member

Hi all,

I am new to Splunk and am still trying to figure out everything one step at a time. I have an issue where the streaming XML data is expecting a tag and is instead receiving something else. The warning that shows up in splunkd.log is the following:

WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "error".

Is anyone familiar with this issue? And if so, where do I even start to troubleshoot it? I don't know what file to go to check the tags or the error.

Any help would be gladly appreciated. Thanks in advance!

0 Karma

Communicator

I guess you installed the Splunk CIM Addon? In this case, about all Events containing the word "error" or similar words will get the tag "error". This is defined by a serach in the eventtypes.conf of the Splunk CIM AddOn:

[err0r]
search = NOT sourcetype=stash (error OR failure OR fail OR failed OR fatal) NOT "not an error"
#tag   = error

and tags.conf:

## error
[eventtype=err0r]
error = enabled
0 Karma

New Member

Sorry for the late reply, so the way to fix it would be by disabling the error tag?

0 Karma

Path Finder

I wouldnt disable the tag, you may prevent results appearing from important queries.

0 Karma