Hello,
I have a need to execute PowerShell scripts as modular inputs. I am bit confused about the native support for that.
On one hand, I am under the impression it is supported out of the box by Windows UF when I read this:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowsdatawithPowerShellscripts
On the other hand, there a dedidcated add-on available:
https://splunkbase.splunk.com/app/1477
Is it mandatory to deploy this add-on ? Or is it only required for specific scenario ?
Regards.
Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.
In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]
In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"
Powershell is supported out of the box with the Splunk Universal Forwarder. The second link for the add-on is in addition to the basic capabilities.
In general, the minimum design pattern to run a Powershell script is to create an app/add-on for the Splunk UF, and in the app you should have a stanza in inputs.conf that looks like this
[script://.\bin\<FILENAME>.path]
In the "bin" folder of your app you would have a script called .path and its contents would be a single line to call your actual ".ps1" file in the same "bin" folder. My ".path" file contains the following:
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\<MY_APP>\bin\<FILENAME>.ps1'"
The documentation here says: "This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2 " Are they meaning the version of Splunk on the Universal Forwarder or the version of Splunk on the server. In other words, if I have a Universal Forwarder running version 6.2.1, does that mean I need to deploy the Powershell add-on to that forwarder to be able to run a powershell script?
Yea, I too am confused because I really thought it used to declare itself not necessary (on the app entry or docs) but I don't see that. It doesn't include anything rich within props.conf
so it's not looking like a necessity for knowledge object enrichment either.
Thanks for your answer.
So what kind of additional capabilities can we expect from this add-on ?
I think it is mostly intended to be a Splunk management tool. It allows you to configure, control, and query Splunk controls and data from powershell. It is kind of like an API or SDK for Splunk for Powershell.