I'm trying to do something very simple but for some reason I can not get it to work. I'm trying to run the basic PowerShell command below on a universal forwarder (on a Windows 10 workstation) but the output is not going to Splunk.
One question I have is what sourcetype should I be using? Each PowerShell command will have a different output...so do I need to have a sourcetype for each command I run?
(And I have read the article but its just not clicking for me https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts)
Key points:
*Workstation is connected to the deployment server
*I am using a very basic custom add-on app that host the PowerShell command
*Custom Add-on app info
2 directories -> local and metadata. The local folder has two files: app.conf and inputs.conf (which is below).
[powershell://test-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = **system is not showing this correctly but it polls every minute**
sourcetype = Windows:Process
Hi @manderson_rr,
What is schedule
set to exactly?
Also, what version is the UF?
Cheers,
- Jo.
[powershell://manderson-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = 0 */1 * * *
sourcetype = Windows:Process
UF --> 7.3.1.1
Yes, each type of data should has its own sourcetype
.
Be aware that Powershell is not packaged with UF, it must be installed to Windows.
Your script
line look fishy...
What's wrong with the script? It's almost exactly the example they used in their documentation
[powershell://Processes-EX1]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}}
schedule = 0 */5 * * *
sourcetype = Windows:Process
Hi manderson_rr,
Your schedule in inputs.conf should be in a cron format. Like if you want the script to run for every 5 minutes your schedule should be equal to the examples in the link below:
https://www.thegeekstuff.com/2011/07/cron-every-5-minutes/
Also you can add index in your inputs.conf if you want a separate index for the processes you are monitoring.
And if you are adding a custom index don't forget to create this custom index on search head as well.
My schedule looks like this: * */1 * * *
@woodcock Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts
Under PowerShell input configuration values >> Single command example
Yes, I retract my comment on the fishiness of the script
line; I don't do much powersehelling...
@woodcock no worries. I thought using PowerShell would be more common but I'm finding not many customers use it with their UF.
Hi @manderson_rr,
Ah yes, unfortunately some of the example schedules are incorrect. How often would you like it to run? Here's a handy site: https://crontab.guru/
I can confirm that a number of customer are using the PowerShell modular input successfully. O&;)
Cheers,
- Jo.
@jhornsby_splunk For now, I would like to run every minute.
Then use * * * * *
but I think that is crazy....
I would only use that example for 5-10 minutes, so I can troubleshoot and/or verify the output is being ingested. It will run every 60 minutes once it actually works.
That's OK then.
Hi @manderson_rr,
For maximum debugging, you can change $logDebug
to $true
in splunk-powershell.ps1
, which affects splunk-powershell.ps1.log
. And you can also change ExecProcessor
(in log.cfg
) and splunk-powershell
(in log-cmdline.cfg
) to DEBUG
, which affects splunkd.log
. You will need to restart the UF for the changes to take effect. Maybe one of these logs will provide some clues as to what is going wrong.
Cheers,
- Jo.
Link to dox?
Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts
Under PowerShell input configuration values >> Single command example