- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- need help with splunk btool in powershell
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
How can I write power shell script for running btool command ?
where ever I am directly doing in powershell. That is working fine. But, when I store "C:\Program Files\Splunk\bin\splunk" cmd btool props list --debug in test.ps1 and running the script from powersell then, I am getting the error.
Unfortunately, Splunk team does not always have access to the server, so we have to either gain access (takes time and approvals) or involve the server owner to run some Splunk commands.
Rather than walk the server owner through a bunch of long command strings, we should use a script.
Write a powershell script that will:
Start in a UniversalForwarder directory..
Run btool for inputs, outputs, props, and transforms and send the output to .txt files.
Then zip up those 4 files along with the contents of /etc/apps/* and /etc/system/local/* into a single zip file as an output.
The server owner can then mail that .zip file to us and we can diagnose the UF.
Thanks,
Satya Allaparthi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect you are probably running into an error because you don't have an ampersand in front of your splunk.exe command. PowerShell gets really confused if you try to do that with something that isn't a PowerShell cmdlet or alias. Adding a "&" in front of it solves that problem.
I assumed you might not be running the latest PowerShell, but if you are, the zipping part could be simplified using PowerShell 5 native Compress-Archive cmdlet.
To use this, run the script and you should have a zip created in $env:TEMP named SplunkTroubleshootingArchive_timestampformat.zip. For example: SplunkTroubleshootingArchive_05122019113952.zip
The script will tell you where the zip file is for easy copy/pasting. No Splunk knowledge necessary.
I didn't include a lot of error handling in here. I'm relying on BYOEH (Bring Your Own Error Handling). I also wouldn't call this pretty, but this works for the tests I ran and should get you in the right direction.
# Roll own function to create zip files since PowerShell version is unknown
# Copied from https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
function ZipFiles($zipfilename,$sourcedir,$inclRoot)
{
Add-Type -Assembly System.IO.Compression.FileSystem
$compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
[System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir,$zipfilename,$compressionLevel,$inclRoot)
}
#####################################################################
# Parameters you should customize for your environment/use case
#####################################################################
# If splunkd is running, programmatically get SplunkUF directory
$splunkUFDir = (Get-Process "splunkd").Path -replace '\\bin\\splunkd\.exe',''
# SplunkUF directory - hard-coded for your environment
#$splunkUFDir = "C:\Program Files\Splunk"
# Array of conf files for btool to parse
$confFiles = @("props","inputs","outputs","transforms")
# Array of Splunk directories to include in zip
$splunkDirsToZip = @("\etc\apps","\etc\system\local")
# Format for timestamp that can be used in file paths
$dateTime = Get-Date -Format "ddMMyyyyHHmmss"
#####################################################################
# Make a directory in $env:TEMP for constructing zip file
$logFolder = New-Item -Path $env:TEMP -Name $($dateTime+"_Splunklogs") -ItemType "directory"
# Loop over the conf files to create output files
# Output is written to temporary directory based on timestamp
foreach ($conf in $confFiles)
{
& "$splunkUFDir\bin\splunk.exe" cmd btool $conf list --debug | Out-File -FilePath $($logFolder.FullName+"\"+$dateTime+"_"+$conf+".txt") -Force
}
# Loop over the directories to create zip files written to temporary directory based on timestamp
foreach ($d in $splunkDirsToZip)
{
# Replace the slashes and backslashes with underscores for zip file name, but convert all to backslashes for compression call
$dirZipFile = $($logFolder.FullName+"\"+$dateTime+"_"+($d -replace '/|\\','_')+".zip") -replace '/','\'
$srcDir = ($splunkUFDir+$d) -replace '/','\'
ZipFiles $dirZipFile $srcDir $false
}
# Now zip up the temporary directory into a single zip
$splunkTroubleshootingArchive = (($logFolder.Parent.FullName)+"\SplunkTroubleshootingArchive_"+$dateTime+".zip") -replace '/','\'
ZipFiles $splunkTroubleshootingArchive $logFolder $false
# Clean up temporary log directory if the archive exists
if ($splunkTroubleshootingArchive)
{
Remove-Item $logFolder -Recurse -Force -ErrorAction SilentlyContinue
Write-Output "Zip archive is at:`n`t`t$splunkTroubleshootingArchive"
} else {
Write-Warning "Script failure. No zip archive created."
}
Some useful references for you:
https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell
https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/?view=powershell-5.1
Hope that helps!
rmmiller
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect you are probably running into an error because you don't have an ampersand in front of your splunk.exe command. PowerShell gets really confused if you try to do that with something that isn't a PowerShell cmdlet or alias. Adding a "&" in front of it solves that problem.
I assumed you might not be running the latest PowerShell, but if you are, the zipping part could be simplified using PowerShell 5 native Compress-Archive cmdlet.
To use this, run the script and you should have a zip created in $env:TEMP named SplunkTroubleshootingArchive_timestampformat.zip. For example: SplunkTroubleshootingArchive_05122019113952.zip
The script will tell you where the zip file is for easy copy/pasting. No Splunk knowledge necessary.
I didn't include a lot of error handling in here. I'm relying on BYOEH (Bring Your Own Error Handling). I also wouldn't call this pretty, but this works for the tests I ran and should get you in the right direction.
# Roll own function to create zip files since PowerShell version is unknown
# Copied from https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
function ZipFiles($zipfilename,$sourcedir,$inclRoot)
{
Add-Type -Assembly System.IO.Compression.FileSystem
$compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
[System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir,$zipfilename,$compressionLevel,$inclRoot)
}
#####################################################################
# Parameters you should customize for your environment/use case
#####################################################################
# If splunkd is running, programmatically get SplunkUF directory
$splunkUFDir = (Get-Process "splunkd").Path -replace '\\bin\\splunkd\.exe',''
# SplunkUF directory - hard-coded for your environment
#$splunkUFDir = "C:\Program Files\Splunk"
# Array of conf files for btool to parse
$confFiles = @("props","inputs","outputs","transforms")
# Array of Splunk directories to include in zip
$splunkDirsToZip = @("\etc\apps","\etc\system\local")
# Format for timestamp that can be used in file paths
$dateTime = Get-Date -Format "ddMMyyyyHHmmss"
#####################################################################
# Make a directory in $env:TEMP for constructing zip file
$logFolder = New-Item -Path $env:TEMP -Name $($dateTime+"_Splunklogs") -ItemType "directory"
# Loop over the conf files to create output files
# Output is written to temporary directory based on timestamp
foreach ($conf in $confFiles)
{
& "$splunkUFDir\bin\splunk.exe" cmd btool $conf list --debug | Out-File -FilePath $($logFolder.FullName+"\"+$dateTime+"_"+$conf+".txt") -Force
}
# Loop over the directories to create zip files written to temporary directory based on timestamp
foreach ($d in $splunkDirsToZip)
{
# Replace the slashes and backslashes with underscores for zip file name, but convert all to backslashes for compression call
$dirZipFile = $($logFolder.FullName+"\"+$dateTime+"_"+($d -replace '/|\\','_')+".zip") -replace '/','\'
$srcDir = ($splunkUFDir+$d) -replace '/','\'
ZipFiles $dirZipFile $srcDir $false
}
# Now zip up the temporary directory into a single zip
$splunkTroubleshootingArchive = (($logFolder.Parent.FullName)+"\SplunkTroubleshootingArchive_"+$dateTime+".zip") -replace '/','\'
ZipFiles $splunkTroubleshootingArchive $logFolder $false
# Clean up temporary log directory if the archive exists
if ($splunkTroubleshootingArchive)
{
Remove-Item $logFolder -Recurse -Force -ErrorAction SilentlyContinue
Write-Output "Zip archive is at:`n`t`t$splunkTroubleshootingArchive"
} else {
Write-Warning "Script failure. No zip archive created."
}
Some useful references for you:
https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell
https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/?view=powershell-5.1
Hope that helps!
rmmiller
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @satyaallaparthi ,
What is the error that you are getting? Can you provide the exact PowerShell that you are using to invoke btool?
Cheers,
- Jo.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
