All Apps and Add-ons

Is PowerShell natively supported by the Universal Forwarder or do we need to install the add-on ?

sylbaea
Communicator

Hello,

I have a need to execute PowerShell scripts as modular inputs. I am bit confused about the native support for that.

On one hand, I am under the impression it is supported out of the box by Windows UF when I read this:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts

On the other hand, there a dedidcated add-on available:
https://splunkbase.splunk.com/app/1477

Is it mandatory to deploy this add-on ? Or is it only required for specific scenario ?

Regards.

0 Karma
1 Solution

rjthibod
Champion

Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.

In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]

In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:

$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"

View solution in original post

0 Karma

rjthibod
Champion

Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.

In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]

In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:

$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"

0 Karma

matthewroberson
Path Finder

The documentation here says: "This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2 " Are they meaning the version of Splunk on the Universal Forwarder or the version of Splunk on the server. In other words, if I have a Universal Forwarder running version 6.2.1, does that mean I need to deploy the Powershell add-on to that forwarder to be able to run a powershell script?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Yea, I too am confused because I really thought it used to declare itself not necessary (on the app entry or docs) but I don't see that. It doesn't include anything rich within props.conf so it's not looking like a necessity for knowledge object enrichment either.

0 Karma

sylbaea
Communicator

Thanks for your answer.

So what kind of additional capabilities can we expect from this add-on ?

0 Karma

rjthibod
Champion

I think it is mostly intended to be a Splunk management tool. It allows you to configure, control, and query Splunk controls and data from powershell. It is kind of like an API or SDK for Splunk for Powershell.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...