Building for the Splunk Platform

Data upload to spool is truncated

philip_w
Explorer

I'm using powershell to get a web page in order to keep track my service status.
I tested my script which can write the whole page into local file without problem.
Then I changed to write it to $SPLUNK_HOME/var/spool/splunk

However, I found from Splunk search it always only captured the first few lines in HTML before the

Can anyone tell there's any setting affecting spool indexing behavior?

Thanks!!

0 Karma
1 Solution

woodcock
Esteemed Legend

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

View solution in original post

0 Karma

woodcock
Esteemed Legend

If you need to blast a few files into splunk using a script, then just use add oneshot:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorfilesanddirectoriesusingtheCLI

0 Karma

philip_w
Explorer

I should go for [batch://] indeed.

Thank you for your advice!

0 Karma

woodcock
Esteemed Legend

Yes, that will delete after sending, if you configure it properly.

0 Karma

woodcock
Esteemed Legend

Why would you ever write to $SPLUNK_HOME at all, especially var? Please point us to splunk docs that describes the way you are using this directory (which so far as I know is for internal use regarding primarily summary indexing).

0 Karma

philip_w
Explorer

I thought writing file to spool is the easiest way if I don't want to keep the file after indexing. Ok, seems I shouldn't use without good knowledge.

There is another story about powershell... I initially wanted to get the page through stdin/out. I failed to, so I wrote the html content into file first

0 Karma

woodcock
Esteemed Legend

Maybe it is a thing now. Show the the docs page.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @philip_w, did a portion of your post get cut off? This part: "However, I found from Splunk search it always only captured the first few lines in HTML before the" You can edit your post by pressing the gear icon to the top right of the post.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...