- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Microsoft PowerShell: How to run...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I am having problems integrating the Splunk Add-on for Microsoft Powershell. My goal is that I want to run a process that collects machine data once a day at a specific time across all my systems, then feed the data to a dashboard for reporting. I've tried the Splunk_TA_Windows installedapps.bat file, but that does not collect the right information. I also tried WinHOSTMon which does get the data, but has a field extraction issue with the DisplayName field, and further has been deprecated as of 6.3. I am now using Powershell and am having problems.
Below is my input syntax:
# this should run every 5 minutes for testing and QC of the dashboard.
[powershell://installedapps]
script = . "$SplunkHome\etc\apps\Splunk_TA_windows\bin\installedapps.ps1"
index = windows
interval = 0 /5 * ? * ? *
sourcetype = powershell:installedapps
disabled = false
The input runs the following powershell command:
Get-WmiObject -Class Win32_Product | Format-List -Property Name,InstallDate,InstallLocation,PackageCache,Vendor,Version,IdentifyingNum
The results are not being populated in my index. I'm getting GUID's and the following:
formatEntryInfo="Microsoft.PowerShell.Commands.Internal.Format.ListViewEntry"
outOfBand="False"
writeErrorStream="False"
What am I doing wrong?
Thanks in advance for any help or suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem is with your Format-List.
Try using a Select-Object instead
Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for starting this thread. I have also been thinking about implementing this along with some other queries.
May I add some suggestions
1. Don't use Get-WmiObject -Class Win32_Product as it will generate hundreds of events (1035) in the application log.
2. The query does not return all the installed software on a 64bit system.
Below is some PowerShell code that does not generate 1035 events and gets 64&32bit programs.
$s64=Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*
$s32=Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*
$s = $s32+$s64
$applist = $s | Where-Object {$_.DisplayName -ne $Null}`
| Where-Object {$_.DisplayName -like "*$Software*"} | Sort-Object DisplayName
Make Key Value Pairs for easy processing in Splunk by adding the following. We used this in our .ps1 files.
foreach ($app in $applist) {
$s= " DisplayName=`""+$app.DisplayName+"`"" `
+" Publisher=`""+$app.Publisher+"`"" `
+" DisplayVersion=`""+$app.DisplayVersion+"`"" `
+" InstallDate=`""+$app.InstallDate+"`""
Write-Host $s
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a minor comment to your post above. Either escape the backslashes or include the code within a code sample block
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem is with your Format-List.
Try using a Select-Object instead
Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, given how small your script is, is there any reason you don't want to include that straight in the inputs file, that is:
[powershell://installedapps]
script = Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum
index = windows
interval = 0 /5 ? ? *
sourcetype = powershell:installedapps
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this example - what is the purpose of using the question mark instead of the asterisk in the interval definition ?
interval = 0 /5 ? ? *
Secondly, the inputs.conf.spec says this should be declared with a "schedule"
schedule = <schedule>
*A cron schedule for executing the script. If blank, the script will only execute once.
Does that mean that "interval" and "schedule" can be used interchangeably for the powershell input stanza type ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Javiergn,
That worked! I'm not a big powershell user, so I appreciate the help.
And to your second point. No. I had tried both, but with your feedback will revert to the configuration outlined in your follow up post.
Many thanks!
Andrew
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
