Solved: Why am I unable to find the source or sourcetype w...

jip31 · ‎04-30-2018

Hi

I want to use a powershell script in Splunk
I put the script in BIN folder, I have created an input in data entry
name : Get-RebootPending
command : (Invoke-WmiMethod -Namespace root\ccm\clientsdk -Path CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending
source : powershell:rebootPending
but impossible to use it because my request don't find the source or the sourcetype
Have I forgotten something?
Thanks

xpac · ‎05-01-2018

Hey, so you created a script (something.ps1) and put that into the bin directory of your app, then created a scripted input that refers to that filename? Or did you put the script itself right into the input? Can you maybe show some screenshots or copy-paste the actual script ans inputs.conf?

You might want to take a look at the Powershell add on for Splunk - check this out:
https://splunkbase.splunk.com/app/1477/

View solution in original post

jip31 · ‎05-01-2018

Oh wondeful it works now!
thank for your help!!

xpac · ‎05-01-2018

Glad it worked out. 🙂

Would appreciate if you accept the answer/upvote it, so others can find the solution more easily.

jip31 · ‎05-01-2018

hi
yes exactly
this is the script in iputs.conf
[powershell://Get-RebootPending]
schedule = 25****
script = (Invoke-WmiMethod -Namespace root\ccm\clientsdk -Path CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending
sourcetype = powershell:rebootPending
index = main

ddrillic · ‎05-01-2018

What about an extension such as? - [powershell://Get-RebootPending.ps1]

jip31 · ‎05-01-2018

it has changed nothing....

xpac · ‎05-01-2018

You can try a search like this:
index_internal ExecProcessor - that should show you everything related to the component that is running the inputs. You might have to drill down on your specific host, search for "Error" or your powershell scripts, but that might give you errors that occured during script execution.

jip31 · ‎05-01-2018

i have this:
01/05/18 15:31:00,933

05-01-2018 15:31:00.933 +0200 ERROR ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza Get-RebootPending. Invalid cron schedule: 25****

host = LFR018502

source = C:\Program Files\Splunk\var\log\splunk\splunkd.log

sourcetype = splunkd

xpac · ‎05-01-2018

Ah, yeah, the Powershell input uses a different cron format. Always forget that.

Take a look at the Quartz docs - that's the cron implementation used for Powershell. If you adapt your cron schedule to that format, it should work.

xpac · ‎05-01-2018

Hey, so you created a script (something.ps1) and put that into the bin directory of your app, then created a scripted input that refers to that filename? Or did you put the script itself right into the input? Can you maybe show some screenshots or copy-paste the actual script ans inputs.conf?

You might want to take a look at the Powershell add on for Splunk - check this out:
https://splunkbase.splunk.com/app/1477/

Why am I unable to find the source or sourcetype when using a powershell script in Splunk?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!