Solved: Can I use Powershell as the script triggered by Cu...

rune_hellem · ‎05-31-2017

I'm about to migrate all our scripted actions to custom alert actions. Each alert triggers a .bat file, which is only used to trigger a Powershell-script doing the real magic. The bat file is used since Splunk cannot trigger the .ps1 file, CMD will have to use

Powershell -f filename.ps1

The same issue will be for a custom alert action, Splunk cannot trigger that either, so therefore I
When using scripted alert actions I defined a bat file which the alert triggered. The .bat-file was really just a "proxy" since I was not able to trigger the Powershell script directly from Splunk.

So I have tried the same using a custom alert action

[nimsoft_100_filenet_error]
is_custom = 1
label = Nimsoft #100, test alert
icon_path = action.png
payload_format = xml
disabled = 0
#alert.execute.cmd = alertNimsoft-doSplunkAlert.ps1
alert.execute.cmd = testArguments.bat

But I must admit that I have not fully understood if I can still use this approach. All examples found here http://docs.splunk.com/Documentation/Splunk/6.6.0/AdvancedDev/ModAlertsIntro shows only Python examples, and I have a hard time understanding how to read the payload (stdin) in a bat/cmd-file and the be able to forward it to my Powershell-script. Is this doable or do I have to install Python on the server when using scripts in Custom Alert Actions?

rune_hellem · ‎06-22-2017

This was how I finally was able to launch the Powershell-script. All was in the documentation, but only after I got it figured out I did understand the documentation ... (as so many times before)

In the file alert_actions.conf the alert has been defined like this

alert.execute.cmd = powershell.path
alert.execute.cmd.arg.0 = -NoProfile
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1
alert.execute.cmd.arg.3 = --execute

And then in the \bin-folder of the Splunk-app I have created I have added a file named powershell.path containing one single line

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Next step now will be to understand how I can use Powershell to read the payload, same as Pyhton does with the code

settings = json.loads(sys.stdin.read())

View solution in original post

jdajpowell · ‎03-14-2018

Did you ever figure out how to pass arguments to powershell? The only thing I'm getting when looping through the args array is "--Execute."

rune_hellem · ‎03-14-2018

As I remember it I got an answer from support saying that it actually is not possible using Powershell. If I'm not totally wrong it is a bug in how Splunk implements Powershell. Therefore I switched to Python, as a starter because of this, but also to make the move to running Splunk on Linux easier. As a result of the work my company does related to GDPR we will index a lot more data/logs, and I really expect this to force us to cluster Splunk due to performance. So anyhow it was not a big deal moving to Python.

rune_hellem · ‎06-22-2017

This was how I finally was able to launch the Powershell-script. All was in the documentation, but only after I got it figured out I did understand the documentation ... (as so many times before)

In the file alert_actions.conf the alert has been defined like this

alert.execute.cmd = powershell.path
alert.execute.cmd.arg.0 = -NoProfile
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1
alert.execute.cmd.arg.3 = --execute

And then in the \bin-folder of the Splunk-app I have created I have added a file named powershell.path containing one single line

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Next step now will be to understand how I can use Powershell to read the payload, same as Pyhton does with the code

settings = json.loads(sys.stdin.read())

jdajpowell · ‎03-14-2018

Adding this in the comments vs. answers.

Were you able to figure out how to pass arguments? When looping through the args array I'm only seeing "--execute."

Thanks.

gclaytontmwa · ‎06-11-2018

$args doesn't work for PowerShell for some reason. There is a variable called $input which has the XML or JSON result information.

jkat54 · ‎06-02-2017

It is a bit vague but this is what I'm interpreting from the documentation:

https://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Alertactionsconf

alert.execute.cmd = <string>
* For custom alert actions: Explicitly specify the command to be executed
  when the alert action is triggered. This refers to a binary or script
  in the bin folder of the app the alert action is defined in, or to a
  path pointer file, also located in the bin folder.

This is telling me alert.execute.cmd should point to the powershell executable

alert.execute.cmd = powershell.exe
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = filename.ps1

If you want to use python, you would not need to install python as python is packaged with splunk.

To use the arguments send to the powershell you'll use something like this in the script:

$arg1=$args[0]
$arg2=$args[1]

I feel like the args should be the same as you see here: http://docs.splunk.com/Documentation/Splunk/6.1.3/Alert/Configuringscriptedalerts

Personally I'd use python for this even if I didnt know python. Learning python gives you super Splunk powers 😉

rune_hellem · ‎06-15-2017

Ahh, yes - off course, I will try that out.

And yes, I see the point with Python, but I prefer to use out of the box if possible. But the good news is that my boss has said ok to use Linux when we later move to a clustered Splunk-environment....so that should make things easier....sometimes in the future

Can I use Powershell as the script triggered by Custom Alert Actions?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)