All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco eStreamer eNcore Add-on for Splunk v4.0.11 Unable to parse nav XML for app=eStreamer-Dashboard

g_paternicola
Path Finder
‎03-15-2021 03:03 AM

Hi everyone,

I have installed and configured the following 2 Apps:

http://apps.splunk.com/app/3662
http://apps.splunk.com/app/3663

based on the instruction on this page: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...

the configuration went pretty good and I could get a successful connection to the eStreamer. 

As I wanted to search for sourcetype="cisco:estreamer:data" there were no data coming in. 
I can prove that a lot of data is sent to Splunk with the command:

tcpdump port 8302


Once I'm looking for index=_internal estreamer (log_level=ERROR OR log_level=WARN) there are a lot of error message like this:

ERROR	[604f2bfe5a7f42306d1990] appnav:186 - Unable to parse nav XML for app=eStreamer-Dashboard; Unicode strings with encoding declaration are not supported. Please use bytes input or XML fragments without declaration.


Could someone please help me, I don't have any idea why I'm getting this error...

Thank you very much

Labels (2)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

g_paternicola
Path Finder
‎03-15-2021 06:56 AM

Nevermind. I have found the solution by myself. There is an error for the xml encoding in the default file.

Instead of:

<?xml version="1.0" encoding="UTF-8"?>

should be:

<?xml version="1.0"?>


The file can be found in the App eStreamer-Dashboard on the Navigation Menu and the entry is called "default"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

g_paternicola
Path Finder
‎03-15-2021 06:56 AM

Nevermind. I have found the solution by myself. There is an error for the xml encoding in the default file.

Instead of:

<?xml version="1.0" encoding="UTF-8"?>

should be:

<?xml version="1.0"?>


The file can be found in the App eStreamer-Dashboard on the Navigation Menu and the entry is called "default"

0 Karma
Reply
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...