Getting Data In

shell script is generating only 2 lines of output in splunk

raj_mpl
Path Finder

Hello All,
I can see only 2 lines of output in every event in search head , Here the input is shell script

Any Suggestions ?

Tags (1)
0 Karma

harsmarvania57
Ultra Champion

Hi,

Can you please provide more info ? What shell script are you running ? Where are you running shell script ? And what problem are you facing while executing Shell Script in Splunk?

0 Karma

raj_mpl
Path Finder

Hi @harsmarvania57

Thanks for your response , I had followed the documentation and placed my Linux environment shell script in app/myapp/bin folder and provided inputs.conf in app/myapp/local folder
under the [script] stanza , the attributes given like below

interval = 300
sourcetype = my_st
source = my_st
index = main
disabled = 0

The script is working fine in server( giving the required output of 9 lines) . But in search head we are getting only 2 lines of each event

0 Karma

harsmarvania57
Ultra Champion

There might be possibility that Splunk is not parsing events properly and indexing data with wrong timestamp, can you please try to search data for particular sourcetype with All Time timeframe ?

0 Karma

raj_mpl
Path Finder

I am seeing the partial data o/p from the time when I configured and restarted my Universal Forwarder . But when I searched with ALL Time , I can see some events with complete output but those are 2016 time stamped

0 Karma

harsmarvania57
Ultra Champion

Here you go which means Splunk is not parsing timestamp correctly. Best practice is while generating scripted output, every event should start with timestamp so that splunk will parse those events with correct date time.

Additionally if require you can define TIME_PREFIX, TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD on Indexer/Heavy Forwarder for sourcetype my_st

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...