Bash echo command no ingested by splunk, whle othe...

Dpeedahnb · ‎11-26-2020

I have these as the final lines of my bash script:

response=$(curl -H "Authorization: Bearer $access_token" -H "Accept: application/json;odata=verbose" -s "$url")
echo "$response"

echo "Test1"

The script runs, however only 'Test 1' is sent to the index/splunk.
My response, which I know returns the response of the curl command, seems to be being ignored. The only reason I can think for this is that it's too large a body?
The response is in json but is quite large, I'd say pages worth.

isoutamo · ‎11-26-2020

To se if you get anything what you are expecting just add “ | wc “ inside response evaluation.

Dpeedahnb · ‎11-26-2020

wc provides '0 2220 612208' as a response when I run the script myself.
However on splunk the echo returns 0 0 0 as an event

isoutamo · ‎11-26-2020

The size of your response is quite much more than max size of shell variable (~32k). This is the reason why it’s didn’t work.
Can you write it to file and then read it there to splunk?

richgalloway · ‎11-26-2020

Anything helpful in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

Bash echo command no ingested by splunk, whle others are.

JSON

Linux

scripted input

sourcetype

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

Join the Conversation