I am having a problem getting Splunk to correctly index a scripted source.
Here are the relevant configs:
inputs.conf
[script://./bin/elmah.sh]
interval = 30
sourcetype = elmahdetails
disabled = false
index = test
props.conf
[elmahdetails]
SHOULD_LINEMERGE=true
TRUNCATE=999999
LINE_BREAKER = <\/html>
I can see the script being triggered correctly:
08-02-2012 09:47:55.809 -0400 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/search/bin/elmah.sh, took 428.5 milliseconds to run, 7930 bytes read
The result is that the following is indexed:
However, here is the real event:
(The real text returned from the script is very long and is truncated above for ease.)
It's cutting the event off just after <\/pre>. What am I doing wrong?
(Sorry for the multiple revisions - I couldn't get the HTML to display without being interpreted. Took screenshots instead.)
----FINAL EDIT----
I ended up pursuing an alternate route to solve this issue. Thus, this issue remains unresolved and I have no plans to spend additional time working on it.
Hi Chad
There is a limit on the length of a multiline event.
Default is 256, after that the event is broken in multiple events.
Please search on the events to confirm if this is the case.
And if it is, you can setup the parameter MAX_EVENTS for your sourcetype in props.conf
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
and http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Indexmulti-lineevents
The number of characters before the <\/pre> tag are variable. The stop location is not.
I used the 101010 button and it still tried to link to splunk-base.splunk.com/elmah.axd and did other interpret-y things. I also tried escaping.
Screenshots are there now. ..or, rather, should be.
where are the screenshots then? 🙂
You know you can put code in backticks or by highlighting and using the "101010" button on the form.