I am having a problem getting Splunk to correctly index a scripted source.
Here are the relevant configs:
interval = 30
sourcetype = elmahdetails
disabled = false
index = test
LINE_BREAKER = <\/html>
I can see the script being triggered correctly:
08-02-2012 09:47:55.809 -0400 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/search/bin/elmah.sh, took 428.5 milliseconds to run, 7930 bytes read
The result is that the following is indexed:
However, here is the real event:
(The real text returned from the script is very long and is truncated above for ease.)
It's cutting the event off just after <\/pre>. What am I doing wrong?
(Sorry for the multiple revisions - I couldn't get the HTML to display without being interpreted. Took screenshots instead.)
I ended up pursuing an alternate route to solve this issue. Thus, this issue remains unresolved and I have no plans to spend additional time working on it.
There is a limit on the length of a multiline event.
Default is 256, after that the event is broken in multiple events.
Please search on the events to confirm if this is the case.
And if it is, you can setup the parameter MAX_EVENTS for your sourcetype in props.conf
I used the 101010 button and it still tried to link to splunk-base.splunk.com/elmah.axd and did other interpret-y things. I also tried escaping.
Screenshots are there now. ..or, rather, should be.