I have installed the Nextcloud TA and application on Splunk 7.0.2 ( a second fresh install to be sure) and am having problems with the nextcloud-serverinfo script and the information in the index. The Server status scripts works fine and the JSON information returned is interpreted correctly. Serverinfo however is in XML and does not look to be working correctly. I am using the defaults as per the installation instructions. Running the script from the shell, curl provides the following response: <?xml version="1.0"?> <ocs> <meta> <status>ok</status> <statuscode>200</statuscode> <message>OK</message> </meta> <data> <nextcloud> <system> <version>13.0.1.1</version> <theme>none</theme> <enable_avatars>yes</enable_avatars> <enable_previews>yes</enable_previews> <memcache.local>\OC\Memcache\Redis</memcache.local> <memcache.distributed>\OC\Memcache\Redis</memcache.distributed> <filelocking.enabled>yes</filelocking.enabled> <memcache.locking>\OC\Memcache\Redis</memcache.locking> <debug>no</debug> <freespace>193281241088</freespace> <cpuload> <element>0</element> <element>0.01</element> <element>0</element> </cpuload> <mem_total>4046316</mem_total> <mem_free>3228028</mem_free> <swap_total>999420</swap_total> <swap_free>998896</swap_free> </system> <storage> <num_users>2</num_users> <num_files>12180</num_files> <num_storages>3</num_storages> <num_storages_local>1</num_storages_local> <num_storages_home>2</num_storages_home> <num_storages_other>0</num_storages_other> </storage> <shares> <num_shares>0</num_shares> <num_shares_user>0</num_shares_user> <num_shares_groups>0</num_shares_groups> <num_shares_link>0</num_shares_link> <num_shares_link_no_password>0</num_shares_link_no_password> <num_fed_shares_sent>0</num_fed_shares_sent> <num_fed_shares_received>0</num_fed_shares_received> </shares> </nextcloud> <server> <webserver>Apache/2.4.18 (Ubuntu)</webserver> <php> <version>7.0.28</version> <memory_limit>536870912</memory_limit> <max_execution_time>3600</max_execution_time> <upload_max_filesize>1048576000</upload_max_filesize> </php> <database> <type>mysql</type> <version>10.2.13</version> <size>5406720</size> </database> </server> <activeUsers> <last5minutes>1</last5minutes> <last1hour>1</last1hour> <last24hours>2</last24hours> </activeUsers> </data> </ocs> This results in just over 60 events being indexed as per this screenshot: - The Nextcloud dashboard is trying to display ocs.data.nextcloud.storage.num_users and finds nothing, however a field num_users exists. Props.conf has the following default configuration: - [nextcloud-serverinfo] KV_MODE = xml ANNOTATE_PUNCT = false Everything is telling me the xml is not being parsed correctly, due to multiple events, but am unsure what to try. Any clues, or does someone have this working with Nextcloud 13, Splunk 7.0.2 and teh Nextcloud app? If so, what does the event look like after the scripts runs? ... View more

For anyone having issues with event time not matching the timestamps from pfsense's syslog. It all starts off OK and at what seems random times the date and time starts jumping around. I believe it is due to IPv6 events being interpreted as date and time. Adding a props.conf to /opt/splunk/etc/apps/TA-pfsense/local with the following: [pfsense] TIME_PREFIX = ^ TIME_FORMAT = %b %d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 15 This limits splunk to only parsing the first 15 characters of the syslog message from pfsense. Other notes, although not supported, this worked with TA_pfsense on splunk 6.5 and also manually installed in 7.02 (although the later is not listed as supported.) ... View more