Hi @harsmarvania57

Thanks for your response , I had followed the documentation and placed my Linux environment shell script in app/myapp/bin folder and provided inputs.conf in app/myapp/local folder
under the [script] stanza , the attributes given like below

interval = 300
sourcetype = my_st
source = my_st
index = main
disabled = 0

The script is working fine in server( giving the required output of 9 lines) . But in search head we are getting only 2 lines of each event

There might be possibility that Splunk is not parsing events properly and indexing data with wrong timestamp, can you please try to search data for particular sourcetype with All Time timeframe ?

I am seeing the partial data o/p from the time when I configured and restarted my Universal Forwarder . But when I searched with ALL Time , I can see some events with complete output but those are 2016 time stamped

Here you go which means Splunk is not parsing timestamp correctly. Best practice is while generating scripted output, every event should start with timestamp so that splunk will parse those events with correct date time.

Additionally if require you can define TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD on Indexer/Heavy Forwarder for sourcetype my_st