The following error is displayed at startup.
How can I support?
Splunk> Be an IT superhero. Go home early.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
not well-formed (invalid token): line 39, column 62
There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:
kenji
Thats an XML issue, you should substitute Event with EventType and not do
Event< 14
but
> (EventType==1 OR EventType==2 OR
> EventType==3 OR EventType==4 OR
> EventType==5 OREventType==6 OR
> EventType==7 OR EventType==8 OR
> EventType==9 OR EventType==10 OR
> EventType==11 OR EventType==11 OR
> EventType==12 OR EventType==13 )
That should fix the issue. The alternative is to use CDATA to bypass xml errors.
This is the way i went around it and it works fine.
Hi kenji
it seems as if you are having a problem with your token that you just define in the /opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml'
what i will like you to do is to check the token that you just define in usage_sites.xml because look the message carefully it say that
Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
not well-formed (invalid token): line 39, column 62
let take a look at the last message there was problems with the configuration file so please check the token at the usage_sites.xml' in the file that is the problem
There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:
please try to check the token that you define if you can not do it very well please paste the code on answer i think i may help you to resolve this problem
thanks
Hi kenji
actually the first problem is that you are having problem with your search request you need to add .csv this is the right search request
36 | inputlookup SPSite.csv
37 | table Id,Url
38 | rename Id as SiteId
39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
40 | where isnull(count)
41 | table SiteId,Url
secondly another problem that you said that you not can see the SPSite csv because you have not define the right directory this is the right want
$SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups
Thank you for your reply.
I investigated to line 39 , column 62 in following file.
/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml
36 | inputlookup SPSite
37 | table Id,Url
38 | rename Id as SiteId
39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
40 | where isnull(count)
41 | table SiteId,Url
Actually, I could not find a "SPSite" csv file in SharePoint Apps directory.
I guess does not define "SPSite" look up table in SharePonit Apss.
How can I fix this problem?
Thanks,
Kenz