All Apps and Add-ons

Modular PowerShell - Failed to parse stanza name="powershell://PowerShell-Test" Unexpected end of expression.

s33butler
New Member

No matter what I do, I am unable to get the input to load, it fails with...

Fatal 2014-11-04T15:54:24.7870003Z Failed to parse stanza name="powershell://PowerShell-Test" Unexpected end of expression.
Info 2014-11-04T15:54:24.8026266Z Modular PowerShell Initialized Successfully: 0 Jobs Loaded
Debug 2014-11-04T15:54:25.0057597Z Scheduler Started. Scheduling 0 Jobs

inputs.conf...
[powershell://PowerShell-Test]
index = powershelltest
schedule = 51 10 4 * *
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1"
sourcetype = Windows:PowerShell

I have tried multiple ways...
script = . "E:\Splunk\bin\scripts\PowerShellTest.ps1"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1 -pcgSrvs TestSrv"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1 TestSrv"
script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1" "TestSrv"

I know it's not a permissions thing for PowerShell because the script works correctly the old way using the .path file...
Inputs.conf...
[script://$SPLUNK_HOME\bin\scripts\PowerShellTest.path]
index = powershelltest
interval = 32 10 3 * *
sourcetype = Windows:PowerShell

PowerShellTest.path....
$SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command "& $SPLUNK_HOME\bin\scripts\PowerShellTest.ps1" "TestSrv"

Environment...
Splunk 6.2
SA-ModularInput-PowerShell 1.2.0
Windows 2012 R2 64Bit
PowerShell 4.0

So I am not sure what "Unexpected end of expression" is referring to or how to troubleshoot it.
Any assistance is greatly appreciated,
Scott

0 Karma

jbennett_splunk
Splunk Employee
Splunk Employee

"Failed to parse stanza" means that it's failing before PowerShell is ever invoked. That is, that error message is a problem with the configuration, not your PowerShell script.

Your problem is that your "schedule" isn't a valid cron string (at least, not for the Quartz scheduler I'm using). You have to specify the last two digits ( * ? ) ... and without getting into it too deeply: Quartz has an extra "seconds" field on the front of a normal cron string (I didn't notice until after we'd released the first version that normally cron strings aren't that precise).

So anyway, you need to change schedule to be 0 51 10 4 * ? as an example, this would fire at 2:55 on the 11th:

[powershell://PowerShell-Test]
 index = powershelltest
 schedule = 0 55 2 11 * ?
 script = . "$SPLUNK_HOME\bin\scripts\PowerShellTest.ps1"
 sourcetype = Windows:PowerShell

P.S. If you're "Unable to initialize modular input" -- that's a completely different error indicating the program can't even run. Usually you're getting PowerShell2 is unable to initialize because you're on a system that has PowerShell 3 or 4, and you don't have the old .Net 3.5 framework installed so we can't run the older PowerShell2.

jcoates_splunk
Splunk Employee
Splunk Employee

Does it work with one of the built in examples? Are you handling output as specified here? http://docs.splunk.com/Documentation/AddOns/latest/MSPowerShell/Writescriptsforthemodularinput#Outpu...

0 Karma

s33butler
New Member

I also see an error after reboot...

Unable to initialize modular input "powershell" defined inside the app "SA-ModularInput-PowerShell": Introspecting scheme=powershell: script running failed (exited with code -1).

Permissions are correct...

PS C:> Get-ExecutionPolicy
RemoteSigned
PS C:>

Perhaps I'll try and re-install it.

0 Karma

s33butler
New Member

@jcoates_splunk seems I am not permitted to add a comment to your answer so I will put my reply here...

First, thank you for the quick reply.

The built in examples return the same error "Unexpected end of expression"
even the simplest powershell call returns the same...
gci c:\ | Select-Object *

The section in the doc about testing PowerShell.exe --input sample_input.xml just returns one line and does not exit.

The output works when using the .path method to schedule the input, either way I am sending the output as described in the link you posted using Write-Output and organizing the data in the format of key="value"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...