Forums: SplunkGeneral: truncated scripted input..

Ok.. I have scripted inputs working now but the issue I have now is that every other time the script is ran it only captures exactly 20 lines of the script output instead of the 257 it normally should..

So when you look over time, one run will store 257 lines (correct).. and the next run is the last 20 lines (incorrect).

Any clues?

Can you post the script?

Its are the two nested scripts:

#!/bin/bash
export ORACLE_HOME=/usr/lib/oracle/10.2.0.4/client64/
export PATH=$PATH:$ORACLE_HOME/bin
export TNS_ADMIN=/etc/oracle
export LD_LIBRARY_PATH=$ORACLE_HOME/lib
/usr/bin/python /data/PROGS/SRC/ProdBrowse/foo.py

and then here is foo.py:

#!/usr/bin/env python
import cx_Oracle

curs.close()
orcl.close()

hey there cow mix, can you please send us your $SPLUNK_HOME/etc directory? We would like to see how you are calling this scripted input.

please email the files to support@splunk.com

thanks.

Ok.. here's an update..

When I said "257" was the normal line count, I was wrong. 257 gets consistently reported by Splunk but the real line count is 277. The last 20 lines of the capture are being chopped... consistently.

Ah.. here's another update..

Ok.. I think I'm getting closer..

If you add the 257 lines from a run.. and then the 20 lines from 5 minutes later.. you get 277 lines. And as it happens the 20 line run is the last 20 lines of the first run's output.

Are you putting all the lines from the script into one event? If so you are hitting the default max events limit:

http://www.splunk.com/doc/latest/admin/propsconf

MAX_EVENTS = <integer>
* Specifies the maximum number of input lines to add to any event.
* Splunk breaks after the specified number of lines are read.
* Defaults to 256.

In:

I added:

[host::foo-host]
TRUNCATE = 350

.. and now its not alternating between 257 and 20 lines.. now it just 257 lines and cutting off the last 20.

Can you add the MAX_EVENTS line as well?

ok.. its fixed.

thanks!