All Apps and Add-ons

Syndication Input (RSS/ATOM/RDF) add-on: Why am I getting "INFO Successfully retrieved feed entries, count=0" running a search?

timpacl
Path Finder

I just installed the Syndication Input add-on on my stand-alone search head and configured the answers.splunk.com/feed/questions.rss input as shown in the example. No data is showing in the dedicated index and running index=_internal sourcetype="syndication_modular_input" shows multiple records with this message:

"INFO Successfully retrieved feed entries, count=0, url=https://answers.splunk.com/feed/questions.rss"

So it says everything is fine, but there is nothing there. I tried both with and without credentials. Inputs.conf stanza in the search app looks like:

[syndication://Splunk Answers]
host = answers.splunk.com
include_only_changed = 1
index = training
interval = 1m
sourcetype = SplunkTraining-Answers
url = https://answers.splunk.com/feed/questions.rss
0 Karma

LukeMurphey
Champion

It seems like a bug. I have reproduced it locally and am looking fixing it. See http://lukemurphey.net/issues/1134 for details.

I'll post an update here once I find a solution,

0 Karma

kabali12345
New Member

i am not getting updates from rss to my splunk instance can u suggest me whole procedure?
Thank you.

0 Karma

timpacl
Path Finder

I found that while my server has internet connectivity, when I try to open the RSS directly in the browser it reports that security settings prevent downloading the file. I am working on a solution. I am not sure that corporate policy will allow me to change the security settings.

0 Karma

LukeMurphey
Champion

I tried reproducing this on Windows + Splunk 6.2. Still works fine for me. I posted a build that will output a lot more details to the internal log. Would you be willing to run that one? That version will output details on why it is ignoring each RSS entry (do a search for "index=_internal sourcetype=syndication_modular_input").

0 Karma

tp92222
Explorer

@Luke i aslo used new build posted by you above but same result

log-

2016-02-18 12:37:36,167 INFO Successfully retrieved feed entries, count=0, url=http://tif.mcafee.com/threats.rss

0 Karma

LukeMurphey
Champion

@tp92222: also, you may try creating another identical input but disabling the option to only include changed entries.

0 Karma

LukeMurphey
Champion

@tp92222: that build doesn't include any fixes. Instead, it includes more instrumentation that may help me detect the issue. What do you see when you search for the following:

index=_internal sourcetype="syndication_modular_input" | rex field=_raw "(?<action>((Skipping)|(Including)))" | search count>0 OR action=Including  | table date latest_date title action count
0 Karma

tp92222
Explorer

i reinstall splunk but this time 6.3 ver .now i am able to see feeds .thank you all for help

0 Karma

tp92222
Explorer

config -windows 7 + splunk 6.2

let me know if i miss anything

-installed Syndication Input (RSS/ATOM/RDF) add-on
-enabled app from manage app
-config input with settings shown in below pic
alt text
https://www.dropbox.com/s/xw18mz93kplaa6r/syn.png?dl=0

  • search for Sourcetype=McAfeeTI got no result

i search for "index=_internal sourcetype=syndication_modular_input"

got log as below

2016-02-17 13:37:52,151 INFO Successfully retrieved feed entries, count=0, url=http://tif.mcafee.com/threats.rss

0 Karma

timpacl
Path Finder

I will do it next week. Thanks.

0 Karma

timpacl
Path Finder

Distributed on-prem installation of 6.2 on Windows Server 2012. 5 indexers and 1 search head in 2 US data centers.

0 Karma

LukeMurphey
Champion

I tried to reproduce this but it has been working fine for me once I created the "training" index.

0 Karma

LukeMurphey
Champion

@timpacl, @tp92222: Could both of you provide some information about your Splunk environments (platform, version of Splunk, etc.)? I cannot reproduce this and I'm trying to figure out what is different on my environment than yours.

0 Karma

tp92222
Explorer

i am facing same problem..please give us update

thank you!!!!

0 Karma

timpacl
Path Finder

Any Update LukeMurphey?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...