Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I resolved this scheduled search XML parse error?

KrisAbhishek
New Member
‎09-21-2017 02:47 AM

I am running splunk query which is scheduled to run in every minute to pull the events of last minute. Randomly i getting this xml parse error.

Splunk query :- search index=os sourcetype=cpu all earliest=-2m@m latest=-1m@m |dedup host| eval fields=split(_raw,\" \") | eval num=mvindex(fields,-1)| eval cpuUtilization = 100-num |eval human_readable_time=strftime(_time, \"%Y-%m-%d %H:%M:%S\") |table human_readable_time host cpuUtilization

Error :-
java.lang.RuntimeException: java.lang.RuntimeException: ParseError at [row,col]:[363,318]
Message: The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section.
at com.splunk.Job.refresh(Job.java:900)
at com.splunk.Job.isReady(Job.java:823)
at com.splunk.Job.isDone(Job.java:770)
at MAPDashboardMain$1.run(MAPDashboardMain.java:175)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:351)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:729)
Caused by: java.lang.RuntimeException: ParseError at [row,col]:[363,318]
Message: The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section.
at com.splunk.AtomObject.scan(AtomObject.java:198)
at com.splunk.AtomEntry.parseValue(AtomEntry.java:220)
at com.splunk.AtomEntry.parseDict(AtomEntry.java:143)
at com.splunk.AtomEntry.parseStructure(AtomEntry.java:189)
at com.splunk.AtomEntry.parseValue(AtomEntry.java:230)
at com.splunk.AtomEntry.parseDict(AtomEntry.java:143)
at com.splunk.AtomEntry.parseContent(AtomEntry.java:118)
at com.splunk.AtomEntry.init(AtomEntry.java:95)
at com.splunk.AtomObject.load(AtomObject.java:121)
at com.splunk.AtomEntry.parse(AtomEntry.java:77)
at com.splunk.AtomEntry.parseStream(AtomEntry.java:57)
at com.splunk.Job.refresh(Job.java:898)
... 11 more
Caused by: com.sun.xml.stream.XMLStreamException2: ParseError at [row,col]:[363,318]
Message: The character sequence "]]>" must not appear in content unless used to mark the end of a CDATA section.
at com.sun.xml.stream.XMLReaderImpl.next(XMLReaderImpl.java:604)
at com.splunk.AtomObject.scan(AtomObject.java:193)
... 22 more

Can someone please explain why this occuring ?

0 Karma
Reply

DalJeanis
Legend
‎09-21-2017 08:51 AM

When you go back and run the extract across that same time frame, do you get the same error message? If so, then the problem is a malformed JSON/XML construct. Run the following across one of the failing time periods to find the culprit.

index=os sourcetype=cpu "*]]>*" |head 1
0 Karma
Reply

KrisAbhishek
New Member
‎09-21-2017 11:06 AM

Thanks DalJeanis. I do see result via Splunk Ui for same timeframe.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...