topic Re: PowerShell script through inputs.conf in Getting Data In

PowerShell script through inputs.conf

nce054 — Mon, 08 Jun 2015 13:43:24 GMT

I am trying to get my PowerShell script to be invoked by inputs.conf. My PowerShell script, ScriptTest.ps1, looks like this (borrowed)

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
         $Owner = Get-WmiObject -Class Win32_Process
     } -Process {
         $ID = $_.Id
         New-Object -TypeName 'PSCustomObject' -Property @{
             'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
             'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
             'ProcessName' = $_.ProcessName
             'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
         } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
     } | out-file output.txt

My .cmd file is Status.cmd, and looks like

@powershell -File H:\MyScripts\ScriptTest.ps1

My inputs.conf looks like

[script://$SPLUNK_HOME\etc\apps\SA-ModularInput-PowerShell\Status.cmd]
 interval = 0
 sourcetype = winperf
 index = main

So essentially, I was expecting that when I restarted the service, the output.txt file would be generated. I know the script and command file work because I have ran the command file and the output.txt file was generated. Does anyone know what I am doing incorrectly? Thanks for any help.

Re: PowerShell script through inputs.conf

schose — Mon, 08 Jun 2015 13:48:13 GMT

Hi,

powershell is a mess with splunk and you have to create a .path file.. 🙂

inputs.conf

[script://.\bin\myscript.path]
interval=300
disabled=0

myscript.path

$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command  " &'$SPLUNK_HOME\etc\apps\myapp\bin\powershell\myscript.ps1'"

Cheers,

Andreas

Re: PowerShell script through inputs.conf

nce054 — Mon, 08 Jun 2015 14:27:03 GMT

That seemed to work once, but I deleted the output file that my script was creating, and now it isn't recreating it. I've restarted the service on the Universal Forwarder multiple times. Does the interval of 300 mean that it will take 5 minutes to create the first output file?

EDIT: I see talk of if a process doesn't end, Splunk won't run it again. How can I tell if the script ran completely? Isn't the fact that the output file was generated proof of that?

EDIT: I looked into splunkd.log, and I see that it tried to run the script and exited with the error code 255. Looking into it.

Re: PowerShell script through inputs.conf

schose — Mon, 08 Jun 2015 14:41:02 GMT

300 means the script will run every 5 minutes or if forwarder will be restarted. Check SPLUNK_HOME/var/log/splunk/splunkd.log. script errors of your powershellscript will be displayed there. notice that your powershell script is running in context of the forwarders user (default: system). try to run the script manually to troubleshoot.

Re: PowerShell script through inputs.conf

nce054 — Mon, 08 Jun 2015 14:47:23 GMT

Ran script manually without issue. Trying to think of what could be causing the problem.

Re: PowerShell script through inputs.conf

nce054 — Mon, 08 Jun 2015 15:50:38 GMT

Issue resolved, was having a problem with where I was keeping my script, it wanted it with all of the other scripts in $SPLUNK_HOME\bin\scripts. Thanks for the help, schose!

Re: PowerShell script through inputs.conf

tmontney — Wed, 05 Apr 2017 19:02:23 GMT

The answer above didn't help me when I found it via Google. A Stackoverflow answer led me in the right direction.

powershell -noexit "& ""C:\my_path\yada_yada\run_import_script.ps1"""

http://stackoverflow.com/questions/2035193/how-to-run-a-powershell-script

Referencing the path to Powershell is usually unnecessary. Using a variable for the Splunk install location also might be unnecessary. Regardless of a 32/64 bit installation, it should always bee under C:\Program Files. As for drive letter, the average user doesn't install programs to drives other than where Windows is installed, and Windows is almost always installed on C:.