Hello,
I have the following input
[powershell://Audit]
script = & "$SplunkHome\etc\apps###\bin\Audit.ps1"
schedule = 45 * * ? * *
index = ###
sourcetype = ###
source = Powershell
disabled = 0
Audit.ps1 is periodically executed to collect local data I need to audit. It works fine during a given period then suddenly stops to collect data, until I restart the UF.
At the time where indexing stops I see the following WARN in splunkd.log
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Tag "\stream\event\data" was unexpected.
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "source".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "sourcetype".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "event".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "time".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "data".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
As the collected data is changing from one script call to another, I guess there are special character or syntax that are making the input crash. But I cannot figure out exactly what (note: I cannot post the collected data on the forum, it is a bit sensitive).
Any suggestion to troubleshoot the problem ?
Regards.
Sylvain
... View more