All Apps and Add-ons

How do you install Splunk Add-on for Microsoft PowerShell?

snix
Communicator

I am new to Splunk and am setting up Splunk App for Windows Infrastructure and one of the requirements is to install the Splunk Add-on for Microsoft PowerShell. So I found the download here:
https://splunkbase.splunk.com/app/1477/

And it says to install it on the universal forwarder but not sure how to do that and there seems to be little no no actual documentation on how to do it as all, was able to find is a page outlining the .NET requirements but not much else. All I have is the extracted folder from the download but now I have no idea what to do with it.

1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Your installation on a single server is just fine -- no need for forwarders if you are just testing everything on one machine.

The error that you are seeing arises because of missing prerequisites. Please make sure you have reviewed all the requirements here: http://docs.splunk.com/Documentation/AddOns/latest/MSPowerShell/Hardwareandsoftwarerequirements

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

Your installation on a single server is just fine -- no need for forwarders if you are just testing everything on one machine.

The error that you are seeing arises because of missing prerequisites. Please make sure you have reviewed all the requirements here: http://docs.splunk.com/Documentation/AddOns/latest/MSPowerShell/Hardwareandsoftwarerequirements

snix
Communicator

Yep I found that too and I was missing .NET 3.5 since the issues was related to Powershell2 and that was what was in the error. I thought since I was on a server 2012 that all I needed was 4.5 but I just finished installing 3.5 and reset Splunk and the error didn't come back!

I am testing the Splunk install on one server but I am accessing logs on three remote AD servers so do I need the Powershell add-on installed on all three AD servers?

0 Karma

bsonposh
Communicator

The PowerShell TA uses all the native PowerShell tools so if you are able to write a PowerShell script to get the data you are interested in getting then you can install and run the script from a single install.

The only time you would need to install the PowerShell TA in multiple places is if you wanted to distribute workload or were accessing something that could not be accessed remotely.

snix
Communicator

Okay all the servers are on the same network so as long as this specific add-on is not also required to be installed on the AD servers where universal forwarders are installed and forwarding log data to the Splunk server then great. Thank You!

0 Karma

snix
Communicator

I came across that page yesterday and found it confusing, it tells you to download the files from the Splunkbase and gives a link. Okay great I clicked on it and pulled down the file and went back to the install overview page to start step 2. On step 2 you have a link to "Install the add-on" okay great so I clicked on that and come up to a page that says install the add-on to the search head and forwarders and provides a link back to the download of the add-on.

So this is one point where I get confused, I think the "Search Head" is just one part of the Spunk install and can operate on a separate server. I am currently just testing this solution out so I have all of Splunk installed on a single server so I would assume then I need to install it on my Splunk server right? Also it says "Forwarders" does that mean install it on the Universal Forwarder that is installed on the AD server or is that some other part of the Splunk install? And if it is supposed to be installed on the Universal Forwarder then now is that done?

It also says you can not use a deployment server to deploy the add-on. I am still a little fuzzy on what a Splunk deployment server does, as far as I can tell it does what the name implies and you use it to deploy software to the hosts you are monitoring for instance it would somehow be used to deploy the Universal Forwarder on a Window server remotely but I am still unsure of that. But it sounds like that is not going to work regardless for this add-on so I will move on.

So I then saw at the bottom of the "Install the Splunk Add-on for Microsoft PowerShell" page where it has a install walkthrough and out of the possible walkthrough options I see the "Single-Instance" Splunk Enterprise and thought that would pertain how I have mine installed since it all sits on a single server so clicked on it. On this page it says to install it through the app install section as a file so I tried that with the copy I already downloaded and Bam it says I already had it! Great right well in all the confusion last week when I was messing with it I must have already tried this and I forgot. So great and done... well not so fast I am still not convinced it is fully done or properly setup because now I see a message in Splunk that says this:

Unable to initialize modular input "powershell2" defined inside the app "SA-ModularInput-PowerShell": Introspecting scheme=powershell2: script running failed (exited with code -2146232576).

So now I will look for an answer to this and also I sill don't know if I need to install it on the Universal Forwarder or not. At this point I have jumped in and out of so many pages trying to get all the setting right and modules installed to get AD monitoring working that I am just getting lost. If anyone know more specifics of how this add-on actually works and verify where it should be installed and if there is any additional configuration required just so I know I am on the right track that would be a huge help.

0 Karma

csnidsplunk
Explorer

Thanks again Shawn.

Would you be able to give me an example of what your talking about or what was shared with you? Thank you. Does this site have an option to PM someone or only answering back in the form of an answer?

0 Karma

kpers
Path Finder

Hello csnidsplunk.

To be honest I gave up on it after someone showed me how to solve the problem I was looking for through a simple Splunk query so as soon as I got that I scrapped the idea of going forward in getting Splunk's Microsoft App working as it is a massive pain and that in turn left me without the need to mess with the PowerShell piece. Thank you for taking the time to respond back!

Regards,
Shawn

0 Karma

csnidsplunk
Explorer

Hello Snix,

Did you figure out any more information? I tried to see where you could message a user directly but i'm not seeing that. Only an answer but i'm sure i can delete it after i hear back from you.

Thanks

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you find the installation instructions in the documentation?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...