Hello,

I'm trying to connect SCOM with "Splunk Addon for Microsoft SCOM" (Version 4.0.0 - on Splunk Enterprise 7.3 Heavy Forwarder on Windows)

The connection itself is working fine and I'm able to retrieve alerts from SCOM e.g. via group=alert which is the following powershell commands from "scom_command_loader.ps1":

    "alert"       = @('Get-SCOMAlert', 'Get-SCOMAlert | Get-SCOMAlertHistory');

The input looks like this:

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -groups "alert" -server "SCOM_DEV" -loglevel DEBUG -starttime "2021-08-01T00:00:00+02:00"

 Now I don't want to have all alerts which will be produced in SCOM, instead I want to narrow it down only to the events with the name "*Windows Defender*".

So for this I've created a new Powershell v3 Modular Input as a copy of the existing one, but using not a group, instead the commands section of the script - see also addon documentation.

Section: "Configure inputs through the PowerShell scripted input UI"

The example there is:

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -commands Get-SCOMAlert, Get-SCOMEvent

So I tried to use this. The powershell command is working on the shell when I connect directly to this SCOM system.

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -commands 'Get-SCOMAlert -Name "*Windows Defender*"' -server "SCOM_DEV" -loglevel DEBUG -starttime "2021-08-01T00:00:00+02:00"

The input is working fine and delivering the Windows Defender Events to Splunk.

BUT the problem now is, that it does not create a checkpoint under the path "D:\Splunk\var\lib\splunk\modinputs\scom" like it does when a powershell command without a parameter (-Name "*Windows Defender*") is used.

This can be seen in the DEBUG log files of the addon

index=_internal source=*ta_scom.log

2021-08-05 16:37:11 +02:00 [ log_level=WARN pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] End SCOM TA
host = ws006914.schaeffler.comsource = D:\Splunk\var\log\splunk\ta_scom.logsourcetype = ms:scom:log:script
2021-08-05 16:37:11 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Get 13 objects by 'Get-SCOMAlert -Name "*Windows Defender*"'
2021-08-05 16:37:09 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> serialize(Get-SCOMAlert -Name "*Windows Defender*")
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Get object 'Get-SCOMAlert -Name "*Windows Defender*"' without checkpoint
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> executeCmd SCOM_DEV Get-SCOMAlert -Name "*Windows Defender*"
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Command list: Get-SCOMAlert -Name "*Windows Defender*"
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> getCommands (groups=, commands=[Get-SCOMAlert -Name "*Windows Defender*"])
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] splunk version 7.3.4
2021-08-05 16:37:02 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] New SCOMManagementGroupConnection success
2021-08-05 16:36:55 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> run (groups=, commands=[Get-SCOMAlert -Name "*Windows Defender*"], loglevel=DEBUG)
2021-08-05 16:36:55 +02:00 [ log_level=WARN pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Start SCOM TA

You can see it is calling the command correctly, but "without checkpoint".

When using a default input, it looks like this:

GET Checkpoint
[ log_level=DEBUG pid=10384 input=_Splunk_TA_microsoft_scom_internal_used_Events_test ] Got checkpoint '07/26/2021 10:54:39.220' from file 'D:\Splunk\var\lib\splunk\modinputs\scom\###U0NPTV9ERVY=###Get-SCOMAlert' successfully.

SET Checkpoint
2021-07-26 14:00:28 +02:00 [ log_level=DEBUG pid=10384 input=_Splunk_TA_microsoft_scom_internal_used_Events_test ] Set checkpoint '07/26/2021 11:54:14.790' to file 'D:\Splunk\var\lib\splunk\modinputs\scom\###U0NPTV9ERVY=###Get-SCOMAlert' successfully.

So the problem will be duplicate data when I would run this regulary.

Does anybody has an idea how to fix this?

I have the feeling tried everything possible (different formations with _"_ or _'_ at different positions). Also without wildcards in the Name field its not working.

I guess it somehow cannot create the checkpoint file.

I also tried manipulating the  "scom_command_loader.ps1" script with a new group, which contains my query, but it can also not create the checkpoint file.

Thanks in advance

Michael