Hello,
I have the following input
[powershell://Audit]
script = & "$SplunkHome\etc\apps###\bin\Audit.ps1"
schedule = 45 * * ? * *
index = ###
sourcetype = ###
source = Powershell
disabled = 0
Audit.ps1 is periodically executed to collect local data I need to audit. It works fine during a given period then suddenly stops to collect data, until I restart the UF.
At the time where indexing stops I see the following WARN in splunkd.log
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Tag "\stream\event\data" was unexpected.
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "source".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "sourcetype".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "event".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "time".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "data".
01-18-2017 13:20:15.713 +0000 WARN ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
As the collected data is changing from one script call to another, I guess there are special character or syntax that are making the input crash. But I cannot figure out exactly what (note: I cannot post the collected data on the forum, it is a bit sensitive).
Any suggestion to troubleshoot the problem ?
Regards.
Sylvain
Can we see the script? I saw similar behavior recently and I ended up fixing it by changing how I handled my output to Splunk.
I was initially doing something like:
Write-Output "Key = Value"
When I switched to creating a custom PSObject with the key/value pair as properties on the object it seems to be working as intended:
$props = @{
'Key' = 'Value';
}
$Output = New-Object -TypeName PSObject -Property $props
Write-Output $Output
Thanks for your feedback. I see your point, and I think I am ok on that part.
For that case, the output is generated by this piece of code
foreach ($DataRow in $DataTable) {
$Object = New-Object PSObject -Property @{ ServerInstance=$sql.DataSource }
foreach ($Element in $($DataRow | Get-Member | Where-Object { $_.MemberType -eq "Property" })) {
$Object | Add-Member -MemberType NoteProperty -Name $Element.Name -Value $($DataRow[$Element.Name])
}
Write-Output $Object
}