I've done the install and set the powershell execution policy to bypass, rebuilt the lookups, and I'm still not getting any SQL server data in Splunk
Follow-up answer.
The Exception mentioned in your comment indicates that you have not enabled script execution properly. Microsoft limits the scripts that can be run via PowerShell for security reasons. The default setting is AllSigned, indicating that the scripts must have a digital signature. We do not ship the scripts signed. As a result, you need to ensure the proper execution policy is implemented. In the short term, you can set the proper execution policy by running the following command from an ELEVATED PowerShell console:
Set-ExecutionPolicy RemoteSigned
However, a group policy may over-ride this setting, so ensure your group policy from Active Directory does not reset it for you. If it does, then get the change made in Active Directory.
In addition, the system will not execute "blocked" scripts. When you download a file from the internet, Windows blocks the execution of the file. If you unpack the file without unblocking it, then all the unpacked files are similarly blocked. You may need to go into the path mentioned in the log, right-click on the file, select Properties and unblock the file.
Follow-up answer.
The Exception mentioned in your comment indicates that you have not enabled script execution properly. Microsoft limits the scripts that can be run via PowerShell for security reasons. The default setting is AllSigned, indicating that the scripts must have a digital signature. We do not ship the scripts signed. As a result, you need to ensure the proper execution policy is implemented. In the short term, you can set the proper execution policy by running the following command from an ELEVATED PowerShell console:
Set-ExecutionPolicy RemoteSigned
However, a group policy may over-ride this setting, so ensure your group policy from Active Directory does not reset it for you. If it does, then get the change made in Active Directory.
In addition, the system will not execute "blocked" scripts. When you download a file from the internet, Windows blocks the execution of the file. If you unpack the file without unblocking it, then all the unpacked files are similarly blocked. You may need to go into the path mentioned in the log, right-click on the file, select Properties and unblock the file.
That is so annoying, and super annoying that it isn't listed in the requirements section of the Monitor Windows data with PowerShell scripts documentation. We aren't going to be changing our hundreds of servers security settings to enable one Splunk input. Unfortunately I only found this issue after wasting time making my powershell script and testing it locally before trying to run in a deployment-app. Many other programs which run powershell remotely (e.g. Octopus Deploy) can run the scripts remotely with the default Windows security settings for Powershell.
I figured out I wasn't running the powershell console in ELEVATED mode (run as Administrator) - thanks so much for your help!
in following the directions, I previously set the execution policy to "bypass"...when I open a powershell window from ssms and "get-executionPolicy" it is "bypass"
when does the powershell script attempt to execute?...can I repeat it?...the error I have in the powershell log is from 2 days ago, so it is possible I fixed it with the "bypass" setting?
Take a look through the TA-sqlserver inputs.conf - each stanza has an index and a sourcetype. A good search is:
index=mssql | chart count by host,sourcetype
This will tell you which hosts are producing which sourcetypes. Correlate that visually with the list of sourcetypes from your inspection of the inputs.conf file and you will know which pieces are not running. Once you have that, the next step is to look for possible errors. A search that will help there is:
index=_internal source=*powershell*.log
Look for any obvious errors. Anything leap out at you? If nothing does, then take a look at the splunkd.log which you can use a similar search as above.
Let me know what you find out.
in the powershell log I see some maybe problematic events:
...sourcetype = powershell-too_small...
...Inner Exception PSSecurityException: File C:\Program Files\Splunk\etc\apps\SA-ModularInput-PowerShell\windows_x86_64\bin\Modules\LocalStorage\LocalStorage.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170...
in the splunkd logs I see a bunch of "GET"s and "POST"s, but nothing seems to be erroring
thanks for your help!
any ideas where to go from here?
I get 0 results for anything with index=mssql --- that's what I don't understand