Re: Bash echo command no ingested by splunk, whle ...

Dpeedahnb · ‎11-26-2020

I have these as the final lines of my bash script:

response=$(curl -H "Authorization: Bearer $access_token" -H "Accept: application/json;odata=verbose" -s "$url")
echo "$response"

echo "Test1"

The script runs, however only 'Test 1' is sent to the index/splunk.
My response, which I know returns the response of the curl command, seems to be being ignored. The only reason I can think for this is that it's too large a body?
The response is in json but is quite large, I'd say pages worth.

isoutamo · ‎11-26-2020

To se if you get anything what you are expecting just add “ | wc “ inside response evaluation.

Dpeedahnb · ‎11-26-2020

wc provides '0 2220 612208' as a response when I run the script myself.
However on splunk the echo returns 0 0 0 as an event

isoutamo · ‎11-26-2020

The size of your response is quite much more than max size of shell variable (~32k). This is the reason why it’s didn’t work.
Can you write it to file and then read it there to splunk?

richgalloway · ‎11-26-2020

Anything helpful in splunkd.log?

---
If this reply helps you, Karma would be appreciated.

Bash echo command no ingested by splunk, whle others are.

JSON

Linux

scripted input

sourcetype

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?