All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Powershell - How can I assign Get-Date to SPLUNKTIME?

grnbrg
New Member
‎10-10-2014 06:23 AM

I have a powershell script that queries vCenter for the location of virtual machines but I have been unable to get the timestamp produced by Get-Date to be used as Time by Splunk.

Here is my script:

Connect-VIServer -Server server_name -user user_name -Password password
$VmInfo = ForEach ($Datacenter in (Get-Datacenter | Sort-Object -Property Name)) {
    ForEach ($Cluster in ($Datacenter | Get-Cluster | Sort-Object -Property Name)) {
        ForEach ($VM in ($Cluster | Get-VM | Sort-Object -Property Name)) {
            (get-date).ToString("yyyy-MM-dd HH:mm:ss") + " VM_Guest=""" + $VM.Name + """, VM_Datacenter=""" + $Datacenter.name + """, VM_Cluster=""" + $Cluster.Name + """, VM_Host=""" + $vm.VMHost.Name + """" 
        }
    }
}
$VmInfo | Add-member -MemberType AliasProperty -Name  SPLUNKTIME -value (get-date).ToString("yyyy-MM-dd HH:mm:ss") -PassThru
$VmInfo | Get-Member SPLUNKTIME | Write-Output
Disconnect-VIServer -server sw-vcenterpr71 -Confirm:$False
0 Karma
Reply

JohanDC
New Member
‎06-22-2016 06:51 AM

SplunkTime should be in epoch format according to the documentation, so try something like this in your powershell script:

[int](New-TimeSpan -Start "01/01/1970" -End get-date.ToUniversalTime()).TotalSeconds
0 Karma
Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 10:26 AM

The techniques you're using look like a mix of old-school text-mode and PowerShell modular input. Are you using the Splunk AddOn for Microsoft PowerShell? See the output notes here, but the modular input expects you to output OBJECTS, not strings.

If you're not using the AddOn, then the "SPLUNKTIME" member doesn't do anything:

Connect-VIServer -Server server_name -user user_name -Password password 

ForEach ($Datacenter in (Get-Datacenter | Sort-Object -Property Name)) {
   ForEach ($Cluster in ($Datacenter | Get-Cluster | Sort-Object -Property Name)) {
      ForEach ($VM in ($Cluster | Get-VM | Sort-Object -Property Name)) {
         '{0:yyyy-MM-dd HH:mm:ss} VM_Guest="{1}" VM_Datacenter="{2}" VM_Cluster="{3}" VM_Host="{4}"' -f (
            (get-date), $VM.Name, $Datacenter.name, $Cluster.Name, $vm.VMHost.Name)
      }
   }
} 
Disconnect-VIServer -server sw-vcenterpr71 -Confirm:$False

If you are, then you need to output an object, not a string. While I'm at it, I'd like to suggest you're wasting time making the extra calls to get the datacenter and cluster information, as it's already on the VM, and there's no point in sorting data that's going into Splunk:

Connect-VIServer -Server server_name -user user_name -Password password

Get-VM | Select-Object @{
    Name = "VM_Host"; Expression = { $_.VMHost.Name } }, @{
    Name = "VM_Guest"; Expression = { $_.Name } }, @{
    Name = "VM_Cluster"; Expression = { $_.VMHost.Parent.Name } }, @{
    Name = "VM_Datacenter"; Expression = { $_.VMHost.Parent.ParentFolder.Parent.Name } }, @{
    Name = "SplunkTime"; Expression = {Get-Date}
} # | Sort VM_Datacenter, VM_Cluster, VM_Host, VM_Guest

Disconnect-VIServer -Server server_name -Confirm:$False

You could put the sort back by just uncommenting that line, if you care about the order, and don't worry about the format of that date in your console, the modular input formats all DataTime objects according to the ISO standard format that Splunk recognizes, and it'll end up as _time in Splunk.

0 Karma
Reply

grnbrg
New Member
‎10-13-2014 10:45 AM

Thank you for your responses.

Here is an example of the script output:

10/13/14 12:46:57.521 PM 2014-10-13 12:46:54 VM_Guest="vm_guest", VM_Datacenter="DC", VM_Cluster="Cluster_PR", VM_Host="vmhost.domain" host = SW-SYSAPPPR12 source = vCenter sourcetype = PowerShell:VC_Inventory

What I want is have the timestamp in the event data used as the Splunk timestamp.

I edited the script to use SplunkTime rather than SPLUNKTIME with the same result.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 09:00 AM

I believe the correct field name is SplunkTime - note the camel case.

0 Karma
Reply

halr9000
Motivator
‎10-13-2014 11:37 AM

@ahall_splunk, like most things in Windows, variables in PowerShell are case-preserving, not case-sensitive.

http://technet.microsoft.com/en-us/library/hh847734.aspx

0 Karma
Reply

musskopf
Builder
‎10-12-2014 06:25 PM

Could you please paste here a couple of output lines from your script?

I've been using some PS scripts and never had issues apart from one server which had data in the future and Splunk was complaining (with reason). Are you using any special sourcetype or the MAX_TIMESTAMP_LOOKAHEAD is the default?

FYI I'm using this format for the event timestamp (Get-Date -Format "o"), my output line look like:
2014-10-13T10:00:10.3369886+10:00, key1="value1", key2="value2"

In case I need to get some other timestamp as part of the key=value, I'm converting it to seconds which I believe is easier to perform calculations at reporting time.

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...