I have in the input.conf as an example a scripted input on the server where the Splunk Universal Forwarder is installed
[script://.\bin\LongRunningQueriesRpt.path] interval=*/1 * * * 1-5 disabled = 0 sourcetype = csv send_index_as_argument_for_path = 0
In the input file is the execution of the Powershell Script.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "$SPLUNK_HOME\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"
It runs fine but in the splunkd.log file I am seeing line Breaking Processor warning messages as noted below.
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 50869 - data_source="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"", data_host="host_name", data_sourcetype="csv"
I understand I have to update the props.conf file on the indexer as that is where the parsing happens. But I am not sure what to use, as the examples I've seen have been for log files. So, I am not sure what I should put in the source section to eliminate the messages. I only want/need to do this for this particular script. Any ideas I can try?
[Source::?] TRUNCATE = 0
The above is what I want to use but Just not sure what to put into the source. Thanks in advance for any help anyone can provide.
I put this update in the props.conf on the indexer server and restarted the service and it warning messages are still coming in. So, should it go on the forwarder server instead? I put exactly what you had in the example. Should I remove the ... and put the actual windows path?
Try with full path.
I would create a new sourcetype (instead of using default csv sourcetype) in this case. I would define my custom sourcetype on Indexer and would include the TRUNCATE setting in it and would update the inputs.conf entry to use my custom sourcetype.
So, should I put the full path to the .path based on the indexer under the deployment apps subdirectory or based on the forwarder server based on apps sub directory? Based on your feedback I will look into both suggestions you have made and report back tomorrow. Thanks again for your quick responses.
It would be the full path on the Forwarder. If you're getting data from that script to Splunk already, you can just search for the data and look for the value in the source field in Splunk Web (and use that).
Okay, so, this is what I see in the source field in splunk web
Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1""
When I put that in the props.conf on the indexer I still get the warnings. I apologize for the delay. Initially, I was not on the indexer, and I didn't have permissions to it. Now, I do. This is what I have tried so far.
[source::"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File \"C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1\""]
TRUNCATE = 0
TRUNCATE = 0