Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- ModularPowerShell still running
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the SA-ModularInput-PowerShell app deployed to some Windows universal forwarders.
When the forward re-installs an updated version of SA-ModularInput-PowerShell, it fails because PowerShell.exe is still running and therefore has a file lock on the subfolder SA-ModularInput-PowerShell/windows_x86_64.
splunkd.log shows: 02-06-2014 17:48:15.337 -0500 WARN DeployedApplication - Failed to create file D:\App\SplunkUniversalForwarder\etc\apps\SA-ModularInput-PowerShell\windows_x86_64\bin\PowerShell.exe while untarring D:\App\SplunkUniversalForwarder\var\run\win_hosts\SA-ModularInput-PowerShell-1391725349.bundle: The process cannot access the file because it is being used by another process.
Once I kill the PowerShell.exe process, the forwarder is able to proceed with re-installing the SA-ModularInput-PowerShell app.
PowerShell.exe is running as User Name splunk_user in the Task Manager.
Any idea why PowerShell.exe continues to run after the scripted modular input completes? Did I set this up wrong?
Here's the input that uses the SA-ModularInput-PowerShell app.
[powershell://Win32_Product]
script = Get-WmiObject -Class Win32_Product -ComputerName . | Select-Object Name,Vendor,Version,Caption,InstallDate
schedule = 0 9 * ? * *
sourcetype = software_inventory_win
index = inventory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk Universal Forwarder are you using?
If it's not v6.0.1, be aware that we (along with any other installer) cannot clobber running processes. This is why Windows so often requires you to reboot your system to install software - the installer is clobbering a file that is running, so it renames the underlying file, copies the new file in and then the restart runs the new file. We've done the same thing in the latest version of the Splunk Universal Forwarder.
This doesn't take care of all the conditions. If you happen to restart while the script is running, then the PowerShell.exe process won't notice that we're restarting until the completion of the script. This may cause the restart to fail as a result. That's a different error but still a concern. SA-ModularInput-PowerShell is best suited for short lived scripts that produce their data quickly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk Universal Forwarder are you using?
If it's not v6.0.1, be aware that we (along with any other installer) cannot clobber running processes. This is why Windows so often requires you to reboot your system to install software - the installer is clobbering a file that is running, so it renames the underlying file, copies the new file in and then the restart runs the new file. We've done the same thing in the latest version of the Splunk Universal Forwarder.
This doesn't take care of all the conditions. If you happen to restart while the script is running, then the PowerShell.exe process won't notice that we're restarting until the completion of the script. This may cause the restart to fail as a result. That's a different error but still a concern. SA-ModularInput-PowerShell is best suited for short lived scripts that produce their data quickly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! The forwarders in this case are on 5.0.2. I'll explore 6.0.1 to see if that resolves this. My central splunk instance is only on 5.0.2 right now so I'll have to check compatibility.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
Announcing Modern Navigation: A New Era of Splunk User Experience
