All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco eStreamer eNcore Add-on for Splunk v4.0.11 Unable to parse nav XML for app=eStreamer-Dashboard

g_paternicola
Path Finder
‎03-15-2021 03:03 AM

Hi everyone,

I have installed and configured the following 2 Apps:

http://apps.splunk.com/app/3662
http://apps.splunk.com/app/3663

based on the instruction on this page: https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...

the configuration went pretty good and I could get a successful connection to the eStreamer. 

As I wanted to search for sourcetype="cisco:estreamer:data" there were no data coming in. 
I can prove that a lot of data is sent to Splunk with the command:

tcpdump port 8302


Once I'm looking for index=_internal estreamer (log_level=ERROR OR log_level=WARN) there are a lot of error message like this:

ERROR	[604f2bfe5a7f42306d1990] appnav:186 - Unable to parse nav XML for app=eStreamer-Dashboard; Unicode strings with encoding declaration are not supported. Please use bytes input or XML fragments without declaration.


Could someone please help me, I don't have any idea why I'm getting this error...

Thank you very much

Labels (2)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

g_paternicola
Path Finder
‎03-15-2021 06:56 AM

Nevermind. I have found the solution by myself. There is an error for the xml encoding in the default file.

Instead of:

<?xml version="1.0" encoding="UTF-8"?>

should be:

<?xml version="1.0"?>


The file can be found in the App eStreamer-Dashboard on the Navigation Menu and the entry is called "default"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

g_paternicola
Path Finder
‎03-15-2021 06:56 AM

Nevermind. I have found the solution by myself. There is an error for the xml encoding in the default file.

Instead of:

<?xml version="1.0" encoding="UTF-8"?>

should be:

<?xml version="1.0"?>


The file can be found in the App eStreamer-Dashboard on the Navigation Menu and the entry is called "default"

View solution in original post

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!