Getting Data In

Scripted input not complete

crob6281
Explorer

I am having a problem getting Splunk to correctly index a scripted source.

Here are the relevant configs:

inputs.conf
[script://./bin/elmah.sh]
interval = 30
sourcetype = elmahdetails
disabled = false
index = test

props.conf
[elmahdetails]
SHOULD_LINEMERGE=true
TRUNCATE=999999
LINE_BREAKER = <\/html>

I can see the script being triggered correctly:

08-02-2012 09:47:55.809 -0400 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/search/bin/elmah.sh, took 428.5 milliseconds to run, 7930 bytes read

The result is that the following is indexed:

alt text

However, here is the real event:

alt text

(The real text returned from the script is very long and is truncated above for ease.)

It's cutting the event off just after <\/pre>. What am I doing wrong?

(Sorry for the multiple revisions - I couldn't get the HTML to display without being interpreted. Took screenshots instead.)

----FINAL EDIT----
I ended up pursuing an alternate route to solve this issue. Thus, this issue remains unresolved and I have no plans to spend additional time working on it.

0 Karma

yannK
Splunk Employee
Splunk Employee

Hi Chad

There is a limit on the length of a multiline event.
Default is 256, after that the event is broken in multiple events.
Please search on the events to confirm if this is the case.

And if it is, you can setup the parameter MAX_EVENTS for your sourcetype in props.conf
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
and http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Indexmulti-lineevents

0 Karma

crob6281
Explorer

The number of characters before the <\/pre> tag are variable. The stop location is not.

0 Karma

crob6281
Explorer

I used the 101010 button and it still tried to link to splunk-base.splunk.com/elmah.axd and did other interpret-y things. I also tried escaping.

Screenshots are there now. ..or, rather, should be.

0 Karma

MHibbin
Influencer

where are the screenshots then? 🙂
You know you can put code in backticks or by highlighting and using the "101010" button on the form.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...