topic Re: How to ingest PowerShell script that outputs json? in Getting Data In

How to ingest PowerShell script that outputs json?

rufflabs — Fri, 28 Jul 2023 19:19:14 GMT

Hello,

I have a PowerShell script that parses emails and pulls out specific header data that I want in Splunk. While writing the script I decided to have it output json as I thought that would be a good option to feed to splunk. I produced a sample json log file (one line json per message I want parsed) and setup a sourcetype via the interactive add data wizard. I then added that sourcetype to my app's props.conf.

My issue is I cannot seem to find the right way to get splunk to execute the powershell script. I've tried script:// with the ps1, with a .path file, and recently tried powershell:// with a script parameter. Nothing seems to be working.

Any guidance on how to make this would be great. I don't want to have to resort to a scheduled task running the script which outputs to a log file that splunk monitors, but I can do that if I need to.

Here is my inputs.conf that I tried:

[script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.ps1] disabled = 1 interval = 300 index = email source = phishalert sourcetype = phishalert [script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.path] disabled = 1 interval = 300 index = email source = phishalert sourcetype = phishalert [powershell://PhishAlertOutput] disabled = 1 script = . "$SPLUNKHOME/etc/apps/phishalert/bin/phishalert_output.ps1" schedule = */5 * * * * sourcetype = phishalert

Here is the props.conf:

[phishalert] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) TIMESTAMP_FIELDS = timestamp category = Structured description = Phish alert json data. disabled = false pulldown_type = true

Re: How to ingest PowerShell script that outputs json?

cklunck — Sat, 29 Jul 2023 22:56:34 GMT

Splunk is being asked to run a PowerShell script on what looks like a *nix system. Is there a PowerShell interpreter installed on this Splunk host?

If so, you may need to do something like:

[script://path/to/pwsh $SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.ps1]

There are a few other options in the [script] section of inputs.conf.spec that you might want to explore, including "start_by_shell".

Re: How to ingest PowerShell script that outputs json?

rufflabs — Mon, 31 Jul 2023 14:23:31 GMT

This is all Windows, what makes you think it's linux? Did I misconfigure something?

Re: How to ingest PowerShell script that outputs json?

PickleRick — Mon, 31 Jul 2023 20:55:54 GMT

You use slashes as path separators, not backslashes. In my experience something like this worked:

[powershell://your-stanza-name]
script= . "$SplunkHome\etc\apps\your_app\bin\scripts\your_script.ps1

Re: How to ingest PowerShell script that outputs json?

rufflabs — Wed, 02 Aug 2023 13:24:48 GMT

Hah, that shouldn't matter because PowerShell can interpret both methods, but sure enough that got it working. Thanks!