Hi
I'm trying to execute 2 different powershell scripts with different sourcetypes but on the same index. one of them is running but the second does not.
moreover, when i put one of the scripts in disabled=false and the other as true, it runs ok.
did it happen to someone?
A few things:
I think your script attribute value in the stanza might be incorrect. The forward slashes should be backslashes in a windows environment: http://docs.splunk.com/Documentation/AddOns/released/MSPowerShell/Configuration
Try the full path name, no dots.
It also appears you are missing an opening bracket [ in front of the PowerShell in the stanza header.
If it still isn't working after that:
Have you checked splunkd.log for that stanza/script for any errors? If no, try that. You can do this via the search head by looking in index=_internal sourcetype=splunkd
Do these two different scripts provide two unique outputs? Ie, do not have the same hash value?
thanks for the answer,
for the 3 first points it's OK it is like this, i was wrong while copying it.
Now the problem is that it takes both of them with bat files but it take each row as a single event.
did it happen to you somehow?
it brings me to splunk the bat text 😞
can you put you example please?
Sure, try something like this:
@echo off powershell.exe -ExecutionPolicy bypass -file "X:\Path\to\your\script.ps1"
it parse each row as single event.
do you know what can I do about it?
sorry for the delay,
I've just tried it but and it does the job this time but again only for one of the scripts
but then can i make it with two different sourcetypes?
Yeah, using the same method you have above. Just replace the .ps1 with the .bat which calls the .ps1. You can keep the same sourcetypes or change them at your leisure.
yeah sure, that's my input.conf:
[powershell://first_script]
script= . "$SplunkHome/etc/.... firstScript.ps1"
index= first_script
sourcetype= first_script
disabled = false
[powershell://second_script]
script= . "$SplunkHome/etc/.... secondScript.ps1"
index= second_script
sourcetype= second_script
disabled = false
This happened to me a few months ago. I fixed it by creating a batch script to call the powershell script.
Can you share your input.conf configuration (for these two scripted input)?