All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Powershell input suddently stops to index data

sylbaea
Communicator
‎01-18-2017 07:08 AM

Hello,

I have the following input

[powershell://Audit]
script = & "$SplunkHome\etc\apps###\bin\Audit.ps1"
schedule = 45 * * ? * *
index = ###
sourcetype = ###
source = Powershell
disabled = 0

Audit.ps1 is periodically executed to collect local data I need to audit. It works fine during a given period then suddenly stops to collect data, until I restart the UF.
At the time where indexing stops I see the following WARN in splunkd.log

01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Tag "\stream\event\data" was unexpected.
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "source".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "sourcetype".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "event".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "time".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "data".
01-18-2017 13:20:15.713 +0000 WARN  ExecProcessor - Streaming XML data: Expected tag "event", instead received "index".

As the collected data is changing from one script call to another, I guess there are special character or syntax that are making the input crash. But I cannot figure out exactly what (note: I cannot post the collected data on the forum, it is a bit sensitive).

Any suggestion to troubleshoot the problem ?

Regards.

Sylvain

0 Karma
Reply

eshess
New Member
‎03-09-2017 08:42 AM

Can we see the script? I saw similar behavior recently and I ended up fixing it by changing how I handled my output to Splunk.

I was initially doing something like:
Write-Output "Key = Value"

When I switched to creating a custom PSObject with the key/value pair as properties on the object it seems to be working as intended:

$props = @{
'Key' = 'Value';
}
$Output = New-Object -TypeName PSObject -Property $props
Write-Output $Output
0 Karma
Reply

sylbaea
Communicator
‎03-13-2017 12:23 AM

Thanks for your feedback. I see your point, and I think I am ok on that part.
For that case, the output is generated by this piece of code

            foreach ($DataRow in $DataTable) {
                $Object = New-Object PSObject -Property @{ ServerInstance=$sql.DataSource }
                foreach ($Element in $($DataRow | Get-Member | Where-Object { $_.MemberType -eq "Property" })) {
                    $Object | Add-Member -MemberType NoteProperty -Name $Element.Name -Value $($DataRow[$Element.Name])
                }
                Write-Output $Object
            }
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...