Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data upload to spool is truncated

philip_w
Explorer
‎09-11-2017 04:33 PM

I'm using powershell to get a web page in order to keep track my service status.
I tested my script which can write the whole page into local file without problem.
Then I changed to write it to $SPLUNK_HOME/var/spool/splunk

However, I found from Splunk search it always only captured the first few lines in HTML before the

Can anyone tell there's any setting affecting spool indexing behavior?

Thanks!!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-11-2017 05:22 PM

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-11-2017 05:22 PM

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

0 Karma
Reply
Solved! Jump to solution

philip_w
Explorer
‎09-11-2017 05:29 PM

I should go for [batch://] indeed.

Thank you for your advice!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-11-2017 05:33 PM

Yes, that will delete after sending, if you configure it properly.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-11-2017 05:13 PM

Why would you ever write to $SPLUNK_HOME at all, especially var? Please point us to splunk docs that describes the way you are using this directory (which so far as I know is for internal use regarding primarily summary indexing).

0 Karma
Reply
Solved! Jump to solution

philip_w
Explorer
‎09-11-2017 05:19 PM

I thought writing file to spool is the easiest way if I don't want to keep the file after indexing. Ok, seems I shouldn't use without good knowledge.

There is another story about powershell... I initially wanted to get the page through stdin/out. I failed to, so I wrote the html content into file first

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-11-2017 05:21 PM

Maybe it is a thing now. Show the the docs page.

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-11-2017 04:51 PM

Hey @philip_w, did a portion of your post get cut off? This part: "However, I found from Splunk search it always only captured the first few lines in HTML before the" You can edit your post by pressing the gear icon to the top right of the post.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...