No matter what I do, I am unable to get the input to load, it fails with...
Fatal 2014-11-04T15:54:24.7870003Z Failed to parse stanza name="powershell://PowerShell-Test" Unexpected end of expression.
Info 2014-11-04T15:54:24.8026266Z Modular PowerShell Initialized Successfully: 0 Jobs Loaded
Debug 2014-11-04T15:54:25.0057597Z Scheduler Started. Scheduling 0 Jobs
inputs.conf...
[powershell://PowerShell-Test]
index = powershelltest
schedule = 51 10 4 * *
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1"
sourcetype = Windows:PowerShell
I have tried multiple ways...
script = . "E:\Splunk\bin\scripts\PowerShellTest.ps1"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1 -pcgSrvs TestSrv"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1 TestSrv"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1" "TestSrv"
I know it's not a permissions thing for PowerShell because the script works correctly the old way using the .path file...
Inputs.conf...
[script://$SPLUNK_HOME\bin\scripts\PowerShellTest.path]
index = powershelltest
interval = 32 10 3 * *
sourcetype = Windows:PowerShell
PowerShellTest.path....
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command "& $SPLUNK_HOME\bin\scripts\PowerShellTest.ps1" "TestSrv"
Environment...
Splunk 6.2
SA-ModularInput-PowerShell 1.2.0
Windows 2012 R2 64Bit
PowerShell 4.0
So I am not sure what "Unexpected end of expression" is referring to or how to troubleshoot it.
Any assistance is greatly appreciated,
Scott
"Failed to parse stanza" means that it's failing before PowerShell is ever invoked. That is, that error message is a problem with the configuration, not your PowerShell script.
Your problem is that your "schedule" isn't a valid cron string (at least, not for the Quartz scheduler I'm using). You have to specify the last two digits ( * ? ) ... and without getting into it too deeply: Quartz has an extra "seconds" field on the front of a normal cron string (I didn't notice until after we'd released the first version that normally cron strings aren't that precise).
So anyway, you need to change schedule to be 0 51 10 4 * ?
as an example, this would fire at 2:55 on the 11th:
[powershell://PowerShell-Test]
index = powershelltest
schedule = 0 55 2 11 * ?
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1"
sourcetype = Windows:PowerShell
P.S. If you're "Unable to initialize modular input" -- that's a completely different error indicating the program can't even run. Usually you're getting PowerShell2 is unable to initialize because you're on a system that has PowerShell 3 or 4, and you don't have the old .Net 3.5 framework installed so we can't run the older PowerShell2.
Does it work with one of the built in examples? Are you handling output as specified here? http://docs.splunk.com/Documentation/AddOns/latest/MSPowerShell/Writescriptsforthemodularinput#Outpu...
I also see an error after reboot...
Unable to initialize modular input "powershell" defined inside the app "SA-ModularInput-PowerShell": Introspecting scheme=powershell: script running failed (exited with code -1).
Permissions are correct...
PS C:> Get-ExecutionPolicy
RemoteSigned
PS C:>
Perhaps I'll try and re-install it.
@jcoates_splunk seems I am not permitted to add a comment to your answer so I will put my reply here...
First, thank you for the quick reply.
The built in examples return the same error "Unexpected end of expression"
even the simplest powershell call returns the same...
gci c:\ | Select-Object *
The section in the doc about testing PowerShell.exe --input sample_input.xml just returns one line and does not exit.
The output works when using the .path method to schedule the input, either way I am sending the output as described in the link you posted using Write-Output and organizing the data in the format of key="value"