All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft System Center Operations Manager: Why is the add-on not writing data to index?

DolEgon22
New Member
‎03-07-2017 08:43 AM

Hi all,

I have setup the Splunk Add-on for Microsoft System Center Operations Manager (SCOM) and have successfully setup a performance input from SCOM and can see in the ta_scom.log that the PowerShell scripts are getting the objects. However, nothing is written to the index. In fact, I don't see the add-on sourcetypes at all ("microsoft:scom:*")

I've exhausted all the log files I can think of to look in for clues as to why the data never makes it into the index, but so far have come up empty. Any ideas as to what I'm missing or where else I can look to troubleshoot the issue?

Thanks in advance!

0 Karma
Reply

DolEgon22
New Member
‎03-21-2017 07:05 AM

I found that the PowerShell scripts that are running for the Splunk Add-on for Microsoft Active Directory were causing some issue, not allowing the PowerShell scripts for the Splunk Add-on for SCOM to complete, so no data was getting into the index.

Steps I used to discover the issue (nothing in the logging provided a clue):

  1. Saw that the PowerShell process on the server was consuming a LOT of memory and not releasing any.
  2. Using Process Explorer, I found the command line that Splunk uses to launch the PowerShell scripts. It writes a temp file with the parameters and passes it to PowerShell.
  3. I cracked open the temp file and saw that before the SCOM-related PS scripts were run, a bunch of AD-related PS scripts were executed.
  4. I disabled the Splunk Add-on for Microsoft Active Directory.
  5. Data from SCOM began populating the index.

However, some add-ons/apps require the Splunk Add-on for Microsoft Active Directory. When I re-enabled it, the data from SCOM stopped being written again. Can anyone elaborate why this would be the case?

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-21-2017 06:33 PM

@DolEgon22 - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers/comments, then you don't have to take action on it yet.

0 Karma
Reply

DolEgon22
New Member
‎03-22-2017 04:17 AM

The details of the root cause have yet to be uncovered. I'll keep it open a little longer in case someone has some insight on the issue. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...