Getting Data In

Bash echo command no ingested by splunk, whle others are.

Dpeedahnb
Explorer

I have these as the final lines of my bash script:

response=$(curl -H "Authorization: Bearer $access_token" -H "Accept: application/json;odata=verbose" -s "$url")
echo "$response"

echo "Test1"

The script runs, however only 'Test 1' is sent to the index/splunk.
My response, which I know returns the response of the curl command, seems to be being ignored. The only reason I can think for this is that it's too large a body?
The response is in json but is quite large, I'd say pages worth.

Labels (4)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
To se if you get anything what you are expecting just add “ | wc “ inside response evaluation.
0 Karma

Dpeedahnb
Explorer

wc provides '0 2220 612208' as a response when I run the script myself.
However on splunk the echo returns  0 0 0 as an event

0 Karma

isoutamo
SplunkTrust
SplunkTrust
The size of your response is quite much more than max size of shell variable (~32k). This is the reason why it’s didn’t work.
Can you write it to file and then read it there to splunk?
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Anything helpful in splunkd.log?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...