All Apps and Add-ons

Powershell input suddently stops to index data

sylbaea
Communicator

Hello,

I have the following input

[powershell://Audit]
script = & "$SplunkHome\etc\apps###\bin\Audit.ps1"
schedule = 45 * * ? * *
index = ###
sourcetype = ###
source = Powershell
disabled = 0

Audit.ps1 is periodically executed to collect local data I need to audit. It works fine during a given period then suddenly stops to collect data, until I restart the UF.
At the time where indexing stops I see the following WARN in splunkd.log

01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Tag "\stream\event\data" was unexpected.
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "source".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "sourcetype".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "event".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "time".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "data".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".

As the collected data is changing from one script call to another, I guess there are special character or syntax that are making the input crash. But I cannot figure out exactly what (note: I cannot post the collected data on the forum, it is a bit sensitive).

Any suggestion to troubleshoot the problem ?

Regards.

Sylvain

0 Karma

eshess
New Member

Can we see the script? I saw similar behavior recently and I ended up fixing it by changing how I handled my output to Splunk.

I was initially doing something like:
Write-Output "Key = Value"

When I switched to creating a custom PSObject with the key/value pair as properties on the object it seems to be working as intended:

$props = @{
'Key' = 'Value';
}
$Output = New-Object -TypeName PSObject -Property $props
Write-Output $Output
0 Karma

sylbaea
Communicator

Thanks for your feedback. I see your point, and I think I am ok on that part.
For that case, the output is generated by this piece of code

            foreach ($DataRow in $DataTable) {
                $Object = New-Object PSObject -Property @{ ServerInstance=$sql.DataSource }
                foreach ($Element in $($DataRow | Get-Member | Where-Object { $_.MemberType -eq "Property" })) {
                    $Object | Add-Member -MemberType NoteProperty -Name $Element.Name -Value $($DataRow[$Element.Name])
                }
                Write-Output $Object
            }
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...