Splunk Dev

Data upload to spool is truncated

philip_w
Explorer

I'm using powershell to get a web page in order to keep track my service status.
I tested my script which can write the whole page into local file without problem.
Then I changed to write it to $SPLUNK_HOME/var/spool/splunk

However, I found from Splunk search it always only captured the first few lines in HTML before the

Can anyone tell there's any setting affecting spool indexing behavior?

Thanks!!

0 Karma
1 Solution

woodcock
Esteemed Legend

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

0 Karma

philip_w
Explorer

I should go for [batch://] indeed.

Thank you for your advice!

0 Karma

woodcock
Esteemed Legend

Yes, that will delete after sending, if you configure it properly.

0 Karma

woodcock
Esteemed Legend

Why would you ever write to $SPLUNK_HOME at all, especially var? Please point us to splunk docs that describes the way you are using this directory (which so far as I know is for internal use regarding primarily summary indexing).

0 Karma

philip_w
Explorer

I thought writing file to spool is the easiest way if I don't want to keep the file after indexing. Ok, seems I shouldn't use without good knowledge.

There is another story about powershell... I initially wanted to get the page through stdin/out. I failed to, so I wrote the html content into file first

0 Karma

woodcock
Esteemed Legend

Maybe it is a thing now. Show the the docs page.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @philip_w, did a portion of your post get cut off? This part: "However, I found from Splunk search it always only captured the first few lines in HTML before the" You can edit your post by pressing the gear icon to the top right of the post.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...