topic Re: How to run basic PowerShell script on universal forwarder in Getting Data In

How to run basic PowerShell script on universal forwarder

manderson_rr — Thu, 21 Nov 2019 21:19:40 GMT

I'm trying to do something very simple but for some reason I can not get it to work. I'm trying to run the basic PowerShell command below on a universal forwarder (on a Windows 10 workstation) but the output is not going to Splunk.

One question I have is what sourcetype should I be using? Each PowerShell command will have a different output...so do I need to have a sourcetype for each command I run?
(And I have read the article but its just not clicking for me https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts)

Key points:
*Workstation is connected to the deployment server
*I am using a very basic custom add-on app that host the PowerShell command
*Custom Add-on app info
2 directories -> local and metadata. The local folder has two files: app.conf and inputs.conf (which is below).

[powershell://test-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = **system is not showing this correctly but it polls every minute**
sourcetype = Windows:Process

Re: How to run basic PowerShell script on universal forwarder

woodcock — Thu, 21 Nov 2019 21:56:51 GMT

Yes, each type of data should has its own sourcetype.
Be aware that Powershell is not packaged with UF, it must be installed to Windows.
Your script line look fishy...

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Wed, 30 Sep 2020 03:07:18 GMT

What's wrong with the script? It's almost exactly the example they used in their documentation

[powershell://Processes-EX1]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}}
schedule = 0 */5 * * *
sourcetype = Windows:Process

Re: How to run basic PowerShell script on universal forwarder

woodcock — Thu, 21 Nov 2019 22:28:28 GMT

Link to dox?

Re: How to run basic PowerShell script on universal forwarder

jhornsby_splunk — Thu, 21 Nov 2019 22:40:34 GMT

Hi @manderson_rr,

What is schedule set to exactly?

Also, what version is the UF?

Cheers,

- Jo.

Re: How to run basic PowerShell script on universal forwarder

nikita_p — Fri, 22 Nov 2019 05:09:32 GMT

Hi manderson_rr,
Your schedule in inputs.conf should be in a cron format. Like if you want the script to run for every 5 minutes your schedule should be equal to the examples in the link below:
https://www.thegeekstuff.com/2011/07/cron-every-5-minutes/

Also you can add index in your inputs.conf if you want a separate index for the processes you are monitoring.
And if you are adding a custom index don't forget to create this custom index on search head as well.

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 16:52:46 GMT

My schedule looks like this: * */1 * * *

@woodcock Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 17:00:09 GMT

Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 17:02:53 GMT

[powershell://manderson-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = 0 */1 * * *
sourcetype = Windows:Process

UF --> 7.3.1.1

Re: How to run basic PowerShell script on universal forwarder

woodcock — Fri, 22 Nov 2019 17:18:02 GMT

Yes, I retract my comment on the fishiness of the script line; I don't do much powersehelling...

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 17:33:29 GMT

@woodcock no worries. I thought using PowerShell would be more common but I'm finding not many customers use it with their UF.

Re: How to run basic PowerShell script on universal forwarder

jhornsby_splunk — Fri, 22 Nov 2019 20:44:16 GMT

Hi @manderson_rr,

Ah yes, unfortunately some of the example schedules are incorrect. How often would you like it to run? Here's a handy site: https://crontab.guru/

I can confirm that a number of customer are using the PowerShell modular input successfully. O&;)

Cheers,

- Jo.

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 20:47:11 GMT

@jhornsby_splunk For now, I would like to run every minute.

Re: How to run basic PowerShell script on universal forwarder

woodcock — Fri, 22 Nov 2019 20:56:04 GMT

Then use * * * * * but I think that is crazy....

Re: How to run basic PowerShell script on universal forwarder

manderson_rr — Fri, 22 Nov 2019 20:59:52 GMT

I would only use that example for 5-10 minutes, so I can troubleshoot and/or verify the output is being ingested. It will run every 60 minutes once it actually works.

Re: How to run basic PowerShell script on universal forwarder

jhornsby_splunk — Fri, 22 Nov 2019 21:07:54 GMT

Hi @manderson_rr,

For maximum debugging, you can change $logDebug to $true in splunk-powershell.ps1, which affects splunk-powershell.ps1.log. And you can also change ExecProcessor (in log.cfg) and splunk-powershell (in log-cmdline.cfg) to DEBUG, which affects splunkd.log. You will need to restart the UF for the changes to take effect. Maybe one of these logs will provide some clues as to what is going wrong.

Cheers,

- Jo.

Re: How to run basic PowerShell script on universal forwarder

woodcock — Fri, 22 Nov 2019 21:26:09 GMT

That's OK then.