Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Powershell input for Splunk universal forwarder - Windows Server

chimbudp
Contributor
‎02-25-2014 08:30 AM

I am just trying to create a dashboard which shows Windows System information (like Task Manager)

Powershell script:

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
    $Owner = Get-WmiObject -Class Win32_Process
} -Process {
    $ID = $_.Id
    New-Object -TypeName 'PSCustomObject' -Property @{
        'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
        'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
        'ProcessName' = $_.ProcessName
        'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
    } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}

Output of the script:

UserName               DomainName           ProcessName       MemoryUsed
---------              ----------           -----------       ----------
NETWORK SERVICE        NYYYY                chrome            6.61 MB
SYSTEM                 NYYYY                Explorer          17.80 MB
User1                  CCTTT                cmd               9.65 MB

The Script runs fine and Exeution-Policy are set to Remote-Signed

I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?

I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory

Inputs.conf

[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main
Reply

afamoyib
Path Finder
‎03-08-2018 02:27 PM

For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.

  • step 1 create a script and store it in a directory. For this example i will use C:\temp\bin\test.ps1
  • Step 2 create a path file(file.path). C:\temp\bin\testpath.path
  • Step 3 Store this in your path file . Store this in the path $SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " C:\temp\bin\test.ps1'"
  • Step 4 Create the inputs.conf file
0 Karma
Reply

halr9000
Motivator
‎02-25-2014 01:12 PM

You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.

Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.

Reply

rmillerscjcom
New Member
‎01-13-2017 01:19 PM

The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README

0 Karma
Reply

linu1988
Champion
‎02-25-2014 11:33 AM

Hello,
Put the scripts in bin/script folder

[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Status.cmd should have: 

 @powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1

Thanks

Reply

chimbudp
Contributor
‎02-25-2014 02:05 PM

thanks abhi..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...