hexx, thanks so much. that last suggestion got it working!

Why not enable the input manually in %SPLUNK_HOME%\etc\apps\TA-sos_win\local\inputs.conf then?

[script://.\bin\sospowershell.cmd ps_sos.ps1]
disabled = 0

cannot edit input "./bin/ps_sos.ps1", no input exists with that name
that is the error I get when I use the ps_sos.ps1 with the single quotes removed

still getting the 404 error

Ah! In that case, the scripted input you need to enable is 'ps_sos.ps1', not 'ps_sos.sh'.

As the README file of the S.o.S technology add-on for Windows states:

Enable the scripted inputs that collect information for the SoS Splunk CPU/Memory
Usage and Distributed Searches Memory Usage views:

(...)

b) Run the following from a command or PowerShell prompt:

  %SPLUNK_HOME%\bin\splunk _internal call \
  '/servicesNS/nobody/TA-sos/data/inputs/script/.%252Fbin%252Fps_sos.ps1' \
  -post:disabled 0

This is a windows box. It doesn't have grep

Please show here the output of:

• $SPLUNK_HOME/bin/splunk cmd btool inputs list 'script:' --debug | grep -A7 'ps_sos.sh'
• grep 'ps_sos' $SPLUNK_HOME/var/log/splunk/metrics.log | head -10

It's like the script can't find anything on port 8089

Sorry, the script fails with a 404 error.

I added the input manually and it still isn't showing up. I find the following message in splunkd.log:
splunk-regmon - No enabled entries have been found for regmon or procman in the conf file

Sounds like the ps_sos.sh scripted input was not successfully enabled on the forwarder. I would suggest to use "splunk login" and log in as admin before running that command again.

Alternatively, you can enable that input manually in $SPLUNK_HOME/etc/apps/TA-sos/local/inputs.conf.

This script fails with a 401 error:
$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/nobody/TA-sos/data/inputs/script/.%252Fbin%252Fps_sos.sh' -post:disabled 0

I did now and it still isn't showing any SoS data. Like I said previously, I did the "index=sos sourcetype=ps | stats count by host" test per the installation instructions but it isn't returning the name of the server in the list.

Have you manually added the forwarder to the "splunk_servers_cache.csv" lookup in $SPLUNK_HOME/etc/apps/sos/lookups on the search-head, as recommended?

When I run the test on the search-head it does not return the server name in the list. So the forwarder is not sending any SoS data to the search-head. Although the forwarder is sending splunk data.

I think you're asking "Now that my forwarder is collecting data with the scripted inputs of the S.o.S technology add-on, how do I consult that information in the S.o.S app on the search-head?".

If that is accurate, please consult this Splunk Answer which addresses that scenario.

The short version is: You'll need to manually add your forwarder to the "splunk_servers_cache.csv" lookup.

We have plans to make this an automated step in a future release.