Solved: Re: Error using the Powershell-Addon (modular inpu...

malmiran · ‎11-21-2018

I am using the Splunk add-on for Powershell to run T-SQL files. Sample stanza below:

[powershell://GetSQLServerInfo]
script=. "$SplunkHome/etc/apps/SQLServerBase_cog-tech-database/bin/GetSQLServerInfo.ps1"
disabled = 0
schedule = * */5 * * * *
sourcetype = sql_serverinfo
index = cog-tech-database-test-nonprod

It runs perfectly. However, when I add another "powershell" stanza in the same input.conf file, I get an error. For example:

[powershell://GetSQLConfig]
script=. "$SplunkHome/etc/apps/SQLServerBase_cog-tech-database/bin/GetSQLConfig.ps1"
disabled = 0
schedule = * */5 * * * *
sourcetype = sql_config
index = cog-tech-database-test-nonprod

Error in the splunk-powershell log file:
ERROR User script exception: : An item with the same key has already been added.

I suspect, it may have something to do with loading the SQLPS module - perhaps Splunk is doing so in the same run space? It's odd because I do have a check (IF CONDITION) in my PS script before I load the SQLPS module to ensure I don't do so if it's already there (see below).

if (Get-Module -Name SQLPS -ListAvailable)
{
    if ((Get-ExecutionPolicy) -ne 'Restricted') 
    {
        Import-Module -Name SQLPS -DisableNameChecking -Verbose:$false
    }
    else
    {
        Write-Host 'The SQLPS PowerShell module cannot be loaded with an execution policy of restricted'
    }
}

Any ideas?

malmiran · ‎11-21-2018

Figured it out. It was dumb mistake in my IF. Should have used -NOT (doh!). Anyway, working now perfectly now.

View solution in original post

malmiran · ‎11-21-2018

Figured it out. It was dumb mistake in my IF. Should have used -NOT (doh!). Anyway, working now perfectly now.

Error using the Powershell-Addon (modular input)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases