Getting Data In

Powershell Scripting for SPLUNK

abhayneilam
Contributor

Hi,

I have installed Splunk in my windows machine and I want to give the scripted input to Splunk.

I know Splunk does provide ".bat Programming" , Does Splunk support "Powershell Scripting" ?

If yes then plz share any document where it is clearly defined that how to give "powershell scripting" as an input to the splunk

Thanks,
Abhay

halr9000
Motivator

Another option is to use the ".path file" which is (lightly) documented in the inputs.conf spec file (http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf). See also: http://splunk-base.splunk.com/answers/309/powershell-scripted-input for examples.

From the docs:

cmd can also be a path to a file that ends with a ".path" suffix. A file with this suffix is a special type of  pointer file that points to a command to be executed.  Although the pointer file is bound by the same location restrictions mentioned above, the command referenced inside it can reside anywhere on the file system.  This file must contain exactly one line: the path to the command to execute, optionally followed by command line arguments.  Additional empty lines and lines that begin with '#' are also permitted and will be ignored.

Also, in a week or so, we are releasing a PowerShell modular input that lets you embed a PowerShell script into your inputs.conf file and has some other really cool features. Watch http://blogs.splunk.com/ for that.

0 Karma

bmacias84
Champion

Splunk will run any scripting language your operating system supports whether it be perl, python, ruby, bat, vb, ps1(powershell), etc. Your OS just need to have an interpreter for it. So yes it can.

Do the the following and I am assuming you have are building or have built TA or an app to hold these scripts.

create a bat script like such called psexecut.cmd:


@ECHO OFF
SET MYSPLUNKAPP=myfirstapp
Powershell -command ". '%SPLUNK_HOME\etc\apps\%MYSPLUNKAPP\bin\powershell\%1'"

Within a inputs.conf file


[script://<path_to_psexecut.cmd>\psexecut.cmd <path_to_powershell_script>]
source = <ps_script_name>
sourcetype = Powershell
interval =10 #in seconds
index = wintel #your index

Also read Scripted inputs for more information. Also down load some apps and start dissecting them to see how other are build theirs.

Hope this helps or gets you started. If this does help does help dont forget to accept and vote up the answer.

bmacias84
Champion

$SPLUNK_HOME is only known to splunk native processes. Powershell is a windows specific shell that doesnt not know about Splunk ENV variables. Try typing SET and see what pops up as define ENV variables.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I guess I assumed it was available as part of the splunk run time (like how it is for other scripts). Is it not the same as the $SPLUNK_HOME environment variable available to splunk already? Let me know if that made no sense.

0 Karma

bmacias84
Champion

@sloshburch, Hello I am assuming that SPLUNK_HOME already an SYSTEM_ENVIRONMENT variable on the system the script is running on. If it is not you will need to use the SET comment . SET SPLUNK_HOME=D:/program files/splunk or the equivalent path.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Were you able to get the %SPLUNK_HOME part of the cmd file to work? When I run it that way I get this:
The module 'SPLUNK_HOME' could not be loaded. For more information, run 'Import-Module SPLUNK_HOME'

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...