Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunklib (python)/API issues after update to 7.2.0: "ParseError: mismatched tag: line 10625, column 2".

dan_ritter
Engager
‎10-30-2018 01:16 PM

Hello,

I have been running some scripts using splunklib for the past year or so without any issues. I recently updated our indexers to 7.2.0 and am now receiving the occasional errors. The below issues happens every once in a while in about 5 scripts, and every time in another.

Here is a the traceback:

Error on REDACTED:
Traceback (most recent call last):
File "REDACTED.py", line 152, in
message += REDACTED.REDACTED(REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 93, in REDACTED
REDACTED = REDACTED(REDACTED,REDACTED)
File "/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED/REDACTED.py", line 43, in REDACTED
for result in results:
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 205, in next
return self._gen.next()
File "/usr/local/lib/python2.7/dist-packages/splunklib/results.py", line 212, in _parse_results
for event, elem in et.iterparse(stream, events=('start', 'end')):
File "", line 91, in next
ParseError: mismatched tag: line 10625, column 2

I am not sure what the issue is here. To debug a bit easier, I took the exact code that made searches and put it in its own file. After running it the first time, it iterated over about half of the results in the search and failed with the above error. The remaining times it has worked fine. This same issue happens in several scripts that seem to have no correlation with each other.

To make it more clear, here is example source:

import splunklib.results as results
import splunklib.client as client

def execute_search(search_string, service):
kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal"}
exportsearch_results = service.jobs.export(searchString, **kwargs_export)
return results.ResultsReader(exportsearch_results)

token = client.connect( host='splunk_server', port= 8089, username='user', password='pass')
results = execute_search("search index=example", token)

Here is where it fails during iteration:

for result in results:
print result

I would appreciate any insight anyone can provide.

Thanks!

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-12-2019 04:04 PM

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

View solution in original post

Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-12-2019 04:04 PM

i) Try to work out what error it hits, use online xml validator.

ii) If it's not something you can't fix due to the mal-formatted xml then try to use csv format in the request.. for example in kwargs_export add "output_mode":"csv" .

kwargs_export = {"earliest_time": "-7d", "latest_time": "now", "search_mode": "normal", "output_mode": "csv" }

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...