All Apps and Add-ons

Splunk 7 powershell input not emitting

New Member

I can't for the life of me get powershell input to work correctly.
I realize this is asked a lot but I'm not able to find a working answer for Splunk 7 after quite a lot of searching.
I have the powershell, windows infrastructure, and AD add-on's installed. Splunk running on server 2016 with system account.

Input in apps\SplunkTAwindows\local
[powershell://win32share]
script = gwmi Win32Share | where Type -eq 0 | select name,path,status | Select-Object *,@{n="SplunkHost";e={$Env:SPLUNKSERVER_NAME}}
sourcetype = Windows:Process
schedule = 0 */5 * * *

This worked once after which I could not get it to work again. I even changed the name, tried changing index and source type, etc.
The reason I changed it was to put this into a script as I'm trying to rebuild the file share monitoring from old Splunk blog posts.

The script input was
[powershell://win32share]
script = . "$SplunkHome\etc\apps\Splunk
TAwindows\bin\win32share.ps1"
index = windows
source = Powershell
sourcetype = Windows:Share
schedule = 0 */5 * * *

Test script of
gwmi Win32_Share | where Type -eq 0 | Select-Object name,path,status

I'm having a real hard time finding where to look to see if the command / script are even attempted. I've tried reading splunkd, powershell log, and searching internal.
Also, does the source type need to be pre-defined or can it be anything I want?
PS new to Splunk but this has been the only hurdle so far.

Any help is greatly appreciated.

0 Karma

Path Finder

I've found that from Splunk v6.6+, PowerShell script scheduling is broken (i.e. it runs extremely sporadically, if at all) - there appears to be an issue with sending signals from $SPLUNKHOME/bin/splunk-powershell.exe to $SPLUNKHOME/bin/splunk-powershell-common.ps1 - specifically the WaitForWinMultipleObjects statement in the waitCronEvents function just isn't getting anything meaningful to respond to.

I've raised the issue with Splunk and am awaiting a resolution.

Short term work-arounds - I've found two (both work for Splunk v6.6, not tested under 7.0.x)

  1. Replace splunk-powershell.exe with a version from an earlier version of Splunk (any of the 6.5.x series appear to be find)
  2. Deploy the Splunk Add-on for Microsoft PowerShell (SA-ModularInput-PowerShell). I renamed SA-ModularInput-Powershell\windowsx8664\Powershell.exe to PowershellM.exe (ditto for the associated config file), and updated the README\inputs.cof.spec (to powershellm://default]), in order to avoid namespace conflicts. Reminder - the Add On uses a different scheduler, you'll need to update your schedule to match.
0 Karma

Path Finder

This should now be fixed in v6.6.6.

Initial testing with this version indicates that PowerShell scripts are being run on schedule again.

0 Karma