All Apps and Add-ons

Powershell - How can I assign Get-Date to SPLUNKTIME?

grnbrg
New Member

I have a powershell script that queries vCenter for the location of virtual machines but I have been unable to get the timestamp produced by Get-Date to be used as Time by Splunk.

Here is my script:

Connect-VIServer -Server server_name -user user_name -Password password
$VmInfo = ForEach ($Datacenter in (Get-Datacenter | Sort-Object -Property Name)) {
    ForEach ($Cluster in ($Datacenter | Get-Cluster | Sort-Object -Property Name)) {
        ForEach ($VM in ($Cluster | Get-VM | Sort-Object -Property Name)) {
            (get-date).ToString("yyyy-MM-dd HH:mm:ss") + " VM_Guest=""" + $VM.Name + """, VM_Datacenter=""" + $Datacenter.name + """, VM_Cluster=""" + $Cluster.Name + """, VM_Host=""" + $vm.VMHost.Name + """" 
        }
    }
}
$VmInfo | Add-member -MemberType AliasProperty -Name  SPLUNKTIME -value (get-date).ToString("yyyy-MM-dd HH:mm:ss") -PassThru
$VmInfo | Get-Member SPLUNKTIME | Write-Output
Disconnect-VIServer -server sw-vcenterpr71 -Confirm:$False
0 Karma

JohanDC
New Member

SplunkTime should be in epoch format according to the documentation, so try something like this in your powershell script:

[int](New-TimeSpan -Start "01/01/1970" -End get-date.ToUniversalTime()).TotalSeconds
0 Karma

jbennett_splunk
Splunk Employee
Splunk Employee

The techniques you're using look like a mix of old-school text-mode and PowerShell modular input. Are you using the Splunk AddOn for Microsoft PowerShell? See the output notes here, but the modular input expects you to output OBJECTS, not strings.

If you're not using the AddOn, then the "SPLUNKTIME" member doesn't do anything:

Connect-VIServer -Server server_name -user user_name -Password password 

ForEach ($Datacenter in (Get-Datacenter | Sort-Object -Property Name)) {
   ForEach ($Cluster in ($Datacenter | Get-Cluster | Sort-Object -Property Name)) {
      ForEach ($VM in ($Cluster | Get-VM | Sort-Object -Property Name)) {
         '{0:yyyy-MM-dd HH:mm:ss} VM_Guest="{1}" VM_Datacenter="{2}" VM_Cluster="{3}" VM_Host="{4}"' -f (
            (get-date), $VM.Name, $Datacenter.name, $Cluster.Name, $vm.VMHost.Name)
      }
   }
} 
Disconnect-VIServer -server sw-vcenterpr71 -Confirm:$False 

If you are, then you need to output an object, not a string. While I'm at it, I'd like to suggest you're wasting time making the extra calls to get the datacenter and cluster information, as it's already on the VM, and there's no point in sorting data that's going into Splunk:

Connect-VIServer -Server server_name -user user_name -Password password

Get-VM | Select-Object @{
    Name = "VM_Host"; Expression = { $_.VMHost.Name } }, @{
    Name = "VM_Guest"; Expression = { $_.Name } }, @{
    Name = "VM_Cluster"; Expression = { $_.VMHost.Parent.Name } }, @{
    Name = "VM_Datacenter"; Expression = { $_.VMHost.Parent.ParentFolder.Parent.Name } }, @{
    Name = "SplunkTime"; Expression = {Get-Date}
} # | Sort VM_Datacenter, VM_Cluster, VM_Host, VM_Guest

Disconnect-VIServer -Server server_name -Confirm:$False

You could put the sort back by just uncommenting that line, if you care about the order, and don't worry about the format of that date in your console, the modular input formats all DataTime objects according to the ISO standard format that Splunk recognizes, and it'll end up as _time in Splunk.

0 Karma

grnbrg
New Member

Thank you for your responses.

Here is an example of the script output:

10/13/14 12:46:57.521 PM 2014-10-13 12:46:54 VM_Guest="vm_guest", VM_Datacenter="DC", VM_Cluster="Cluster_PR", VM_Host="vmhost.domain" host = SW-SYSAPPPR12 source = vCenter sourcetype = PowerShell:VC_Inventory

What I want is have the timestamp in the event data used as the Splunk timestamp.

I edited the script to use SplunkTime rather than SPLUNKTIME with the same result.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I believe the correct field name is SplunkTime - note the camel case.

0 Karma

halr9000
Motivator

@ahall_splunk, like most things in Windows, variables in PowerShell are case-preserving, not case-sensitive.

http://technet.microsoft.com/en-us/library/hh847734.aspx

0 Karma

musskopf
Builder

Could you please paste here a couple of output lines from your script?

I've been using some PS scripts and never had issues apart from one server which had data in the future and Splunk was complaining (with reason). Are you using any special sourcetype or the MAX_TIMESTAMP_LOOKAHEAD is the default?

FYI I'm using this format for the event timestamp (Get-Date -Format "o"), my output line look like:
2014-10-13T10:00:10.3369886+10:00, key1="value1", key2="value2"

In case I need to get some other timestamp as part of the key=value, I'm converting it to seconds which I believe is easier to perform calculations at reporting time.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...