Bash echo command no ingested by splunk, whle othe...

Dpeedahnb · ‎11-26-2020

I have these as the final lines of my bash script:

response=$(curl -H "Authorization: Bearer $access_token" -H "Accept: application/json;odata=verbose" -s "$url")
echo "$response"

echo "Test1"

The script runs, however only 'Test 1' is sent to the index/splunk.
My response, which I know returns the response of the curl command, seems to be being ignored. The only reason I can think for this is that it's too large a body?
The response is in json but is quite large, I'd say pages worth.

isoutamo · ‎11-26-2020

To se if you get anything what you are expecting just add “ | wc “ inside response evaluation.

Dpeedahnb · ‎11-26-2020

wc provides '0 2220 612208' as a response when I run the script myself.
However on splunk the echo returns 0 0 0 as an event

isoutamo · ‎11-26-2020

The size of your response is quite much more than max size of shell variable (~32k). This is the reason why it’s didn’t work.
Can you write it to file and then read it there to splunk?

richgalloway · ‎11-26-2020

Anything helpful in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

Bash echo command no ingested by splunk, whle others are.

JSON

Linux

scripted input

sourcetype

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?