Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to keep powershell process alive

patrickyoko
Engager
‎12-19-2019 07:04 AM

Hello,

I've created a Powershell script that I use to monitor a folder.

It all works how it's suppose to work, but the problem is when I deploy it as an Splunk App, it starts the Script but doesn't keep the powershell process alive.

Here are the input.conf en .path files I've used.

inputs.conf
[script://$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.path]
disable=false
interval=-1  
index=winlogs

FolderMonitor.path
$Systemroot\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -Command " & '$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.ps1'"

I've tried several things

Changing the .path file to powershell.exe -noexit -noprofile -executionpolicy bypass -Command, but that didn't work at least not when it's deployed by Splunk if I put that directly in Command Prompt it does work.

Changing the interval from -1 to 0 but that just started a new powershell process, and I need the original process to be kept alive.
Any tips or help would be grealy appreciated.

With kind regards,
Patrick

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

patrickyoko
Engager
‎12-20-2019 03:40 AM

I've solved the problem by doing the following.

The first script is creating a dirlist and at the end of the script I'm calling Start-Process powershell.exe "-NoExit . .\FileMonitor.ps1"

That way the file monitor is being runned as SYSTEM and outside of Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

patrickyoko
Engager
‎12-20-2019 03:40 AM

I've solved the problem by doing the following.

The first script is creating a dirlist and at the end of the script I'm calling Start-Process powershell.exe "-NoExit . .\FileMonitor.ps1"

That way the file monitor is being runned as SYSTEM and outside of Splunk.

0 Karma
Reply
Solved! Jump to solution

jhornsby_splunk
Splunk Employee
Splunk Employee
‎12-24-2019 05:18 AM

Hi @patrickyoko ,

I'm surprised you needed to do this, to be honest. I just tested and using interval = -1 seemed to work for me. What version of Splunk is this?

Also, FWIW, for PowerShell scripts you can use the native PowerShell modular input by means of powershell:// stanzas.

Hope this helps.

Cheers,

- Jo.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...