Solved: ModularPowerShell still running

sloshburch · ‎02-07-2014

I have the SA-ModularInput-PowerShell app deployed to some Windows universal forwarders.

When the forward re-installs an updated version of SA-ModularInput-PowerShell, it fails because PowerShell.exe is still running and therefore has a file lock on the subfolder SA-ModularInput-PowerShell/windows_x86_64.

splunkd.log shows: 02-06-2014 17:48:15.337 -0500 WARN DeployedApplication - Failed to create file D:\App\SplunkUniversalForwarder\etc\apps\SA-ModularInput-PowerShell\windows_x86_64\bin\PowerShell.exe while untarring D:\App\SplunkUniversalForwarder\var\run\win_hosts\SA-ModularInput-PowerShell-1391725349.bundle: The process cannot access the file because it is being used by another process.

Once I kill the PowerShell.exe process, the forwarder is able to proceed with re-installing the SA-ModularInput-PowerShell app.

PowerShell.exe is running as User Name splunk_user in the Task Manager.

Any idea why PowerShell.exe continues to run after the scripted modular input completes? Did I set this up wrong?

Here's the input that uses the SA-ModularInput-PowerShell app.

[powershell://Win32_Product]
    script = Get-WmiObject -Class Win32_Product -ComputerName . | Select-Object Name,Vendor,Version,Caption,InstallDate
    schedule = 0 9 * ? * *
    sourcetype = software_inventory_win
    index = inventory

ahall_splunk · ‎02-07-2014

What version of Splunk Universal Forwarder are you using?

If it's not v6.0.1, be aware that we (along with any other installer) cannot clobber running processes. This is why Windows so often requires you to reboot your system to install software - the installer is clobbering a file that is running, so it renames the underlying file, copies the new file in and then the restart runs the new file. We've done the same thing in the latest version of the Splunk Universal Forwarder.

This doesn't take care of all the conditions. If you happen to restart while the script is running, then the PowerShell.exe process won't notice that we're restarting until the completion of the script. This may cause the restart to fail as a result. That's a different error but still a concern. SA-ModularInput-PowerShell is best suited for short lived scripts that produce their data quickly.

View solution in original post

ahall_splunk · ‎02-07-2014

What version of Splunk Universal Forwarder are you using?

If it's not v6.0.1, be aware that we (along with any other installer) cannot clobber running processes. This is why Windows so often requires you to reboot your system to install software - the installer is clobbering a file that is running, so it renames the underlying file, copies the new file in and then the restart runs the new file. We've done the same thing in the latest version of the Splunk Universal Forwarder.

This doesn't take care of all the conditions. If you happen to restart while the script is running, then the PowerShell.exe process won't notice that we're restarting until the completion of the script. This may cause the restart to fail as a result. That's a different error but still a concern. SA-ModularInput-PowerShell is best suited for short lived scripts that produce their data quickly.

sloshburch · ‎02-07-2014

Thanks! The forwarders in this case are on 5.0.2. I'll explore 6.0.1 to see if that resolves this. My central splunk instance is only on 5.0.2 right now so I'll have to check compatibility.

ModularPowerShell still running

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?