Powershell Scripting for SPLUNK

abhayneilam · ‎03-27-2013

Hi,

I have installed Splunk in my windows machine and I want to give the scripted input to Splunk.

I know Splunk does provide ".bat Programming" , Does Splunk support "Powershell Scripting" ?

If yes then plz share any document where it is clearly defined that how to give "powershell scripting" as an input to the splunk

Thanks,
Abhay

halr9000 · ‎04-01-2013

Another option is to use the ".path file" which is (lightly) documented in the inputs.conf spec file (http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf). See also: http://splunk-base.splunk.com/answers/309/powershell-scripted-input for examples.

From the docs:

cmd can also be a path to a file that ends with a ".path" suffix. A file with this suffix is a special type of  pointer file that points to a command to be executed.  Although the pointer file is bound by the same location restrictions mentioned above, the command referenced inside it can reside anywhere on the file system.  This file must contain exactly one line: the path to the command to execute, optionally followed by command line arguments.  Additional empty lines and lines that begin with '#' are also permitted and will be ignored.

Also, in a week or so, we are releasing a PowerShell modular input that lets you embed a PowerShell script into your inputs.conf file and has some other really cool features. Watch http://blogs.splunk.com/ for that.

bmacias84 · ‎03-28-2013

Splunk will run any scripting language your operating system supports whether it be perl, python, ruby, bat, vb, ps1(powershell), etc. Your OS just need to have an interpreter for it. So yes it can.

Do the the following and I am assuming you have are building or have built TA or an app to hold these scripts.

create a bat script like such called psexecut.cmd:



@ECHO OFF

SET MYSPLUNKAPP=myfirstapp

Powershell -command ". '%SPLUNK_HOME\etc\apps\%MYSPLUNKAPP\bin\powershell\%1'"

Within a inputs.conf file



[script://<path_to_psexecut.cmd>\psexecut.cmd <path_to_powershell_script>]

source = <ps_script_name>

sourcetype = Powershell

interval =10 #in seconds

index = wintel #your index

Also read Scripted inputs for more information. Also down load some apps and start dissecting them to see how other are build theirs.

Hope this helps or gets you started. If this does help does help dont forget to accept and vote up the answer.

bmacias84 · ‎02-26-2014

$SPLUNK_HOME is only known to splunk native processes. Powershell is a windows specific shell that doesnt not know about Splunk ENV variables. Try typing SET and see what pops up as define ENV variables.

sloshburch · ‎02-26-2014

I guess I assumed it was available as part of the splunk run time (like how it is for other scripts). Is it not the same as the $SPLUNK_HOME environment variable available to splunk already? Let me know if that made no sense.

bmacias84 · ‎02-26-2014

@sloshburch, Hello I am assuming that SPLUNK_HOME already an SYSTEM_ENVIRONMENT variable on the system the script is running on. If it is not you will need to use the SET comment . SET SPLUNK_HOME=D:/program files/splunk or the equivalent path.

sloshburch · ‎02-26-2014

Were you able to get the %SPLUNK_HOME part of the cmd file to work? When I run it that way I get this:
The module 'SPLUNK_HOME' could not be loaded. For more information, run 'Import-Module SPLUNK_HOME'

Powershell Scripting for SPLUNK

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk