Re: Bash echo command no ingested by splunk, whle ...

Dpeedahnb · ‎11-26-2020

I have these as the final lines of my bash script:

response=$(curl -H "Authorization: Bearer $access_token" -H "Accept: application/json;odata=verbose" -s "$url")
echo "$response"

echo "Test1"

The script runs, however only 'Test 1' is sent to the index/splunk.
My response, which I know returns the response of the curl command, seems to be being ignored. The only reason I can think for this is that it's too large a body?
The response is in json but is quite large, I'd say pages worth.

isoutamo · ‎11-26-2020

To se if you get anything what you are expecting just add “ | wc “ inside response evaluation.

Dpeedahnb · ‎11-26-2020

wc provides '0 2220 612208' as a response when I run the script myself.
However on splunk the echo returns 0 0 0 as an event

isoutamo · ‎11-26-2020

The size of your response is quite much more than max size of shell variable (~32k). This is the reason why it’s didn’t work.
Can you write it to file and then read it there to splunk?

richgalloway · ‎11-26-2020

Anything helpful in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

Bash echo command no ingested by splunk, whle others are.

JSON

Linux

scripted input

sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation