topic Re: Powershell input for Splunk universal forwarder - Windows Server in Getting Data In

Powershell input for Splunk universal forwarder - Windows Server

chimbudp — Tue, 25 Feb 2014 16:30:26 GMT

I am just trying to create a dashboard which shows Windows System information (like Task Manager)

Powershell script:

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
    $Owner = Get-WmiObject -Class Win32_Process
} -Process {
    $ID = $_.Id
    New-Object -TypeName 'PSCustomObject' -Property @{
        'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
        'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
        'ProcessName' = $_.ProcessName
        'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
    } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}

Output of the script:

UserName               DomainName           ProcessName       MemoryUsed
---------              ----------           -----------       ----------
NETWORK SERVICE        NYYYY                chrome            6.61 MB
SYSTEM                 NYYYY                Explorer          17.80 MB
User1                  CCTTT                cmd               9.65 MB

The Script runs fine and Exeution-Policy are set to Remote-Signed

I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?

I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory

Inputs.conf

[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Re: Powershell input for Splunk universal forwarder - Windows Server

linu1988 — Tue, 25 Feb 2014 19:33:10 GMT

Hello,
Put the scripts in bin/script folder

[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Status.cmd should have:

 @powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1

Thanks

Re: Powershell input for Splunk universal forwarder - Windows Server

halr9000 — Tue, 25 Feb 2014 21:12:03 GMT

You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.

Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.

Re: Powershell input for Splunk universal forwarder - Windows Server

chimbudp — Tue, 25 Feb 2014 22:05:20 GMT

thanks abhi..

Re: Powershell input for Splunk universal forwarder - Windows Server

rmillerscjcom — Fri, 13 Jan 2017 21:19:58 GMT

The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README

Re: Powershell input for Splunk universal forwarder - Windows Server

afamoyib — Thu, 08 Mar 2018 22:27:04 GMT

For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.

step 1 create a script and store it in a directory. For this example i will use C:\temp\bin\test.ps1
Step 2 create a path file(file.path). C:\temp\bin\testpath.path
Step 3 Store this in your path file . Store this in the path $SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " C:\temp\bin\test.ps1'"
Step 4 Create the inputs.conf file