- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- PowerShell script through inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get my PowerShell script to be invoked by inputs.conf. My PowerShell script, ScriptTest.ps1, looks like this (borrowed)
Get-Process | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
$Owner = Get-WmiObject -Class Win32_Process
} -Process {
$ID = $_.Id
New-Object -TypeName 'PSCustomObject' -Property @{
'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
'ProcessName' = $_.ProcessName
'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
} | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
} | out-file output.txt
My .cmd file is Status.cmd, and looks like
@powershell -File H:\MyScripts\ScriptTest.ps1
My inputs.conf looks like
[script://$SPLUNK_HOME\etc\apps\SA-ModularInput-PowerShell\Status.cmd]
interval = 0
sourcetype = winperf
index = main
So essentially, I was expecting that when I restarted the service, the output.txt file would be generated. I know the script and command file work because I have ran the command file and the output.txt file was generated. Does anyone know what I am doing incorrectly? Thanks for any help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
powershell is a mess with splunk and you have to create a .path file.. 🙂
inputs.conf
[script://.\bin\myscript.path]
interval=300
disabled=0
myscript.path
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'$SPLUNK_HOME\etc\apps\myapp\bin\powershell\myscript.ps1'"
Cheers,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The answer above didn't help me when I found it via Google. A Stackoverflow answer led me in the right direction.
powershell -noexit "& ""C:\my_path\yada_yada\run_import_script.ps1"""
http://stackoverflow.com/questions/2035193/how-to-run-a-powershell-script
Referencing the path to Powershell is usually unnecessary. Using a variable for the Splunk install location also might be unnecessary. Regardless of a 32/64 bit installation, it should always bee under C:\Program Files. As for drive letter, the average user doesn't install programs to drives other than where Windows is installed, and Windows is almost always installed on C:.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
powershell is a mess with splunk and you have to create a .path file.. 🙂
inputs.conf
[script://.\bin\myscript.path]
interval=300
disabled=0
myscript.path
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " &'$SPLUNK_HOME\etc\apps\myapp\bin\powershell\myscript.ps1'"
Cheers,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue resolved, was having a problem with where I was keeping my script, it wanted it with all of the other scripts in $SPLUNK_HOME\bin\scripts. Thanks for the help, schose!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That seemed to work once, but I deleted the output file that my script was creating, and now it isn't recreating it. I've restarted the service on the Universal Forwarder multiple times. Does the interval of 300 mean that it will take 5 minutes to create the first output file?
EDIT: I see talk of if a process doesn't end, Splunk won't run it again. How can I tell if the script ran completely? Isn't the fact that the output file was generated proof of that?
EDIT: I looked into splunkd.log, and I see that it tried to run the script and exited with the error code 255. Looking into it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
300 means the script will run every 5 minutes or if forwarder will be restarted. Check SPLUNK_HOME/var/log/splunk/splunkd.log. script errors of your powershellscript will be displayed there. notice that your powershell script is running in context of the forwarders user (default: system). try to run the script manually to troubleshoot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran script manually without issue. Trying to think of what could be causing the problem.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
