Using Java API and requesting a streaming export from Splunk a search like this:
search index="client_ndx" sourcetype="client_source" (field1 = "*" ) | regex field1 != "val1|val2|val3" | fields field1, field2,field3,field4 , _time|fields - _raw
(NOTE: ending with "|fields - _raw") returns the labeled fields, but ending it without that exclusion fails with the following error:
java.lang.RuntimeException: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[124683119,213]
Message: JAXP00010004: The accumulated size of entities is "50,000,001" that exceeded the "50,000,000" limit set by "FEATURE_SECURE_PROCESSING".
at com.splunk.ResultsReaderXml.getNextEventInCurrentSet(ResultsReaderXml.java:128)
at com.splunk.ResultsReader.getNextElement(ResultsReader.java:87)
at com.splunk.ResultsReader.getNextElement(ResultsReader.java:29)
at com.splunk.StreamIterableBase.cacheNextElement(StreamIterableBase.java:87)
at com.splunk.StreamIterableBase.access$000(StreamIterableBase.java:28)
at com.splunk.StreamIterableBase$1.hasNext(StreamIterableBase.java:37)
at com.insightrocket.summaryloaders.splunk.SplunkParser.run(SplunkParser.java:112)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.xml.stream.XMLStreamException: ParseError at [row,col]:[124683119,213]
Message: JAXP00010004: The accumulated size of entities is "50,000,001" that exceeded the "50,000,000" limit set by "FEATURE_SECURE_PROCESSING".
at com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.next(XMLStreamReaderImpl.java:596)
at com.sun.xml.internal.stream.XMLEventReaderImpl.nextEvent(XMLEventReaderImpl.java:83)
at com.splunk.ResultsReaderXml.readSubtree(ResultsReaderXml.java:423)
at com.splunk.ResultsReaderXml.getResultKVPairs(ResultsReaderXml.java:325)
at com.splunk.ResultsReaderXml.getNextEventInCurrentSet(ResultsReaderXml.java:124)
... 7 more
I specifically used the system.export to get a stream and bypass the maximum record count, but a change in the system now requires the use of the _raw field
... View more