topic Re: How to keep powershell process alive in Getting Data In

How to keep powershell process alive

patrickyoko — Thu, 19 Dec 2019 15:04:40 GMT

Hello,

I've created a Powershell script that I use to monitor a folder.

It all works how it's suppose to work, but the problem is when I deploy it as an Splunk App, it starts the Script but doesn't keep the powershell process alive.

Here are the input.conf en .path files I've used.

inputs.conf
[script://$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.path]
disable=false
interval=-1  
index=winlogs

FolderMonitor.path
$Systemroot\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -Command " & '$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.ps1'"

I've tried several things

Changing the .path file to powershell.exe -noexit -noprofile -executionpolicy bypass -Command, but that didn't work at least not when it's deployed by Splunk if I put that directly in Command Prompt it does work.

Changing the interval from -1 to 0 but that just started a new powershell process, and I need the original process to be kept alive.
Any tips or help would be grealy appreciated.

With kind regards,
Patrick

Re: How to keep powershell process alive

patrickyoko — Fri, 20 Dec 2019 11:40:18 GMT

I've solved the problem by doing the following.

The first script is creating a dirlist and at the end of the script I'm calling Start-Process powershell.exe "-NoExit . .\FileMonitor.ps1"

That way the file monitor is being runned as SYSTEM and outside of Splunk.

Re: How to keep powershell process alive

jhornsby_splunk — Tue, 24 Dec 2019 13:18:16 GMT

Hi @patrickyoko ,

I'm surprised you needed to do this, to be honest. I just tested and using interval = -1 seemed to work for me. What version of Splunk is this?

Also, FWIW, for PowerShell scripts you can use the native PowerShell modular input by means of powershell:// stanzas.

Hope this helps.

Cheers,

- Jo.