need help with splunk btool in powershell

satyaallaparthi — Wed, 04 Dec 2019 19:17:04 GMT

Hello,

How can I write power shell script for running btool command ?

where ever I am directly doing in powershell. That is working fine. But, when I store "C:\Program Files\Splunk\bin\splunk" cmd btool props list --debug in test.ps1 and running the script from powersell then, I am getting the error.

Unfortunately, Splunk team does not always have access to the server, so we have to either gain access (takes time and approvals) or involve the server owner to run some Splunk commands.

Rather than walk the server owner through a bunch of long command strings, we should use a script.

Write a powershell script that will:

Start in a UniversalForwarder directory..

Run btool for inputs, outputs, props, and transforms and send the output to .txt files.

Then zip up those 4 files along with the contents of /etc/apps/* and /etc/system/local/* into a single zip file as an output.

The server owner can then mail that .zip file to us and we can diagnose the UF.

Thanks,
Satya Allaparthi

Re: need help with splunk btool in powershell

jhornsby_splunk — Thu, 05 Dec 2019 12:57:21 GMT

Hi @satyaallaparthi ,

What is the error that you are getting? Can you provide the exact PowerShell that you are using to invoke btool?

Cheers,

- Jo.

Re: need help with splunk btool in powershell

rmmiller — Wed, 30 Sep 2020 03:16:02 GMT

I suspect you are probably running into an error because you don't have an ampersand in front of your splunk.exe command. PowerShell gets really confused if you try to do that with something that isn't a PowerShell cmdlet or alias. Adding a "&" in front of it solves that problem.

I assumed you might not be running the latest PowerShell, but if you are, the zipping part could be simplified using PowerShell 5 native Compress-Archive cmdlet.

To use this, run the script and you should have a zip created in $env:TEMP named SplunkTroubleshootingArchive_timestampformat.zip. For example: SplunkTroubleshootingArchive_05122019113952.zip

The script will tell you where the zip file is for easy copy/pasting. No Splunk knowledge necessary.

I didn't include a lot of error handling in here. I'm relying on BYOEH (Bring Your Own Error Handling). I also wouldn't call this pretty, but this works for the tests I ran and should get you in the right direction.

# Roll own function to create zip files since PowerShell version is unknown
# Copied from https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
function ZipFiles($zipfilename,$sourcedir,$inclRoot)
{
   Add-Type -Assembly System.IO.Compression.FileSystem
   $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
   [System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir,$zipfilename,$compressionLevel,$inclRoot)
}

#####################################################################
# Parameters you should customize for your environment/use case
#####################################################################
# If splunkd is running, programmatically get SplunkUF directory
$splunkUFDir = (Get-Process "splunkd").Path -replace '\\bin\\splunkd\.exe',''
# SplunkUF directory - hard-coded for your environment
#$splunkUFDir = "C:\Program Files\Splunk"

# Array of conf files for btool to parse
$confFiles = @("props","inputs","outputs","transforms")

# Array of Splunk directories to include in zip
$splunkDirsToZip = @("\etc\apps","\etc\system\local")

# Format for timestamp that can be used in file paths
$dateTime = Get-Date -Format "ddMMyyyyHHmmss"
#####################################################################



# Make a directory in $env:TEMP for constructing zip file
$logFolder = New-Item -Path $env:TEMP -Name $($dateTime+"_Splunklogs") -ItemType "directory"

# Loop over the conf files to create output files
# Output is written to temporary directory based on timestamp
foreach ($conf in $confFiles)
{
    & "$splunkUFDir\bin\splunk.exe" cmd btool $conf list --debug | Out-File -FilePath $($logFolder.FullName+"\"+$dateTime+"_"+$conf+".txt") -Force
}

# Loop over the directories to create zip files written to temporary directory based on timestamp
foreach ($d in $splunkDirsToZip)
{
    # Replace the slashes and backslashes with underscores for zip file name, but convert all to backslashes for compression call
    $dirZipFile = $($logFolder.FullName+"\"+$dateTime+"_"+($d -replace '/|\\','_')+".zip") -replace '/','\'
    $srcDir = ($splunkUFDir+$d) -replace '/','\'
    ZipFiles $dirZipFile $srcDir $false
}

# Now zip up the temporary directory into a single zip
$splunkTroubleshootingArchive = (($logFolder.Parent.FullName)+"\SplunkTroubleshootingArchive_"+$dateTime+".zip") -replace '/','\'
ZipFiles $splunkTroubleshootingArchive $logFolder $false

# Clean up temporary log directory if the archive exists
if ($splunkTroubleshootingArchive)
{
    Remove-Item $logFolder -Recurse -Force -ErrorAction SilentlyContinue
    Write-Output "Zip archive is at:`n`t`t$splunkTroubleshootingArchive"
} else {
    Write-Warning "Script failure.  No zip archive created."
}

Some useful references for you:
https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell
https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/?view=powershell-5.1

Hope that helps!
rmmiller

topic Re: need help with splunk btool in powershell in Getting Data In

need help with splunk btool in powershell

Re: need help with splunk btool in powershell

Re: need help with splunk btool in powershell