Solved: Re: Getting data from prowershell script

aNamee · ‎11-02-2017

Hello,

I am having some trouble getting data into Splunk from a powershell script.
The script is a Nagios script called "Check Windows Updates using Powershell", and returning the current status of the Windows Update software using the standard output "Write-Host".
My problem is that the script does not seem to run when intended.
I added my check_windows_updates.ps1 script via the "Add data" wizard, but it does not seem to run.
I also added an other .bat script containing the following :

@echo off
powershell check_windows_updates.ps1

But it does not seem to run either, as I do not get any data from those two scipts inputs.

Thanks in advance for your help!

EDIT: I have .Net 4.7 and Powershell 3.0 installed on my windows server

rjthibod · ‎11-06-2017

You are not correctly using the powershell script. You need to bundle the Powershell script as a scripted input/add-on, and then tell inputs.conf to invoke the powershell script.

Here are some reference links
https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

Note, when I have done Powershell scripts as inputs, I have always used a .path file approach as shown in the first link. I have never used the Splunk Powershell Add-on. Just my experience.

View solution in original post

rjthibod · ‎11-06-2017

You are not correctly using the powershell script. You need to bundle the Powershell script as a scripted input/add-on, and then tell inputs.conf to invoke the powershell script.

Here are some reference links
https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

Note, when I have done Powershell scripts as inputs, I have always used a .path file approach as shown in the first link. I have never used the Splunk Powershell Add-on. Just my experience.

aNamee · ‎11-06-2017

Thanks for your answer!!
I solved this problem setting up my script as a Powershell 3 modular input instead of setting it as a standard input script, with Script path like . "$SplunkHome\..." , not from C:\ and with CRON formatted Schedule.
Also I changed "Write-Host" to "Write-Output" in script.

aNamee · ‎11-06-2017

A .path could have been good too if I wasn't on Splunk 7 but on a version 6.2 or lower, where Powershell isn't supported natively. I find it easier to configure all via GUI than by editing config files in FS.

aNamee · ‎11-06-2017

FYI, I am on Splunk 7.

aNamee · ‎11-06-2017

Did any of you ever ran a powershell script as a Splunk input?
Or has any other alternatives in order to get Windows Update's status?

EDIT : I gave a try to Splunk App for Windows, but unfortunately it does not monitor what I need. I would like to monitor the number of updates Windows has retrieved before the installation, but Splunk App for Windows only enables me to review the status of Windows' past updates

Thanks

Getting data from prowershell script

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk