All Apps and Add-ons

Splunk App for Microsoft SharePoint: Why am I getting "Error while parsing '.../views/usage_sites.xml': not well-formed (invalid token)" at Splunk startup?

kobayashikenji
Explorer

The following error is displayed at startup.
How can I support?

Splunk> Be an IT superhero. Go home early.

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking appserver port [127.0.0.1:8065]: open
        Checking kvstore port [8191]: open
        Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
 not well-formed (invalid token): line 39, column 62


There were problems with the configuration files.
Would you like to ignore these errors? [y/n]:

kenji

0 Karma

arber
Communicator

Thats an XML issue, you should substitute Event with EventType and not do

 Event< 14

but

> (EventType==1 OR EventType==2 OR
> EventType==3 OR EventType==4 OR
> EventType==5 OREventType==6 OR
> EventType==7 OR EventType==8 OR
> EventType==9 OR EventType==10 OR
> EventType==11 OR EventType==11 OR 
> EventType==12 OR EventType==13 )

That should fix the issue. The alternative is to use CDATA to bypass xml errors.

This is the way i went around it and it works fine.

0 Karma

juvetm
Communicator

Hi kenji
it seems as if you are having a problem with your token that you just define in the /opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml'
what i will like you to do is to check the token that you just define in usage_sites.xml because look the message carefully it say that

 Checking configuration... Error while parsing '/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml':
  not well-formed (invalid token): line 39, column 62 

let take a look at the last message there was problems with the configuration file so please check the token at the usage_sites.xml' in the file that is the problem

 There were problems with the configuration files.
 Would you like to ignore these errors? [y/n]:

please try to check the token that you define if you can not do it very well please paste the code on answer i think i may help you to resolve this problem
thanks

0 Karma

juvetm
Communicator

Hi kenji
actually the first problem is that you are having problem with your search request you need to add .csv this is the right search request

 36 | inputlookup SPSite.csv
   37 | table Id,Url
   38 | rename Id as SiteId
   39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
   40 | where isnull(count)
   41 | table SiteId,Url

secondly another problem that you said that you not can see the SPSite csv because you have not define the right directory this is the right want

$SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups
0 Karma

kobayashikenji
Explorer

Thank you for your reply.

I investigated to line 39 , column 62 in following file.

/opt/splunk/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage_sites.xml

  36 | inputlookup SPSite
  37 | table Id,Url
  38 | rename Id as SiteId
  39 | join type=outer [ search eventtype=mssharepoint-audit Event<14 | stats count by SiteId ]
  40 | where isnull(count)
  41 | table SiteId,Url

Actually, I could not find a "SPSite" csv file in SharePoint Apps directory.
I guess does not define "SPSite" look up table in SharePonit Apss.

How can I fix this problem?

Thanks,
Kenz

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...