I am just trying to create a dashboard which shows Windows System information (like Task Manager)
Powershell script:
Get-Process | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
$Owner = Get-WmiObject -Class Win32_Process
} -Process {
$ID = $_.Id
New-Object -TypeName 'PSCustomObject' -Property @{
'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
'ProcessName' = $_.ProcessName
'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
} | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}
Output of the script:
UserName DomainName ProcessName MemoryUsed
--------- ---------- ----------- ----------
NETWORK SERVICE NYYYY chrome 6.61 MB
SYSTEM NYYYY Explorer 17.80 MB
User1 CCTTT cmd 9.65 MB
The Script runs fine and Exeution-Policy are set to Remote-Signed
I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?
I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory
Inputs.conf
[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main
For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.
You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.
Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.
The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README
Hello,
Put the scripts in bin/script folder
[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main
Status.cmd should have:
@powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1
Thanks
thanks abhi..