All Apps and Add-ons

Splunk Add-on for Microsoft PowerShell: How to run a process that collects machine data once a day at a specified time across all my systems?

Explorer

Hi folks,

I am having problems integrating the Splunk Add-on for Microsoft Powershell. My goal is that I want to run a process that collects machine data once a day at a specific time across all my systems, then feed the data to a dashboard for reporting. I've tried the Splunk_TA_Windows installedapps.bat file, but that does not collect the right information. I also tried WinHOSTMon which does get the data, but has a field extraction issue with the DisplayName field, and further has been deprecated as of 6.3. I am now using Powershell and am having problems.

Below is my input syntax:

# this should run every 5 minutes for testing and QC of the dashboard.
[powershell://installedapps]
script = . "$SplunkHome\etc\apps\Splunk_TA_windows\bin\installedapps.ps1"
index = windows
interval = 0 /5 * ? * ? *
sourcetype = powershell:installedapps
disabled = false

The input runs the following powershell command:

Get-WmiObject -Class Win32_Product | Format-List -Property Name,InstallDate,InstallLocation,PackageCache,Vendor,Version,IdentifyingNum

The results are not being populated in my index. I'm getting GUID's and the following:

formatEntryInfo="Microsoft.PowerShell.Commands.Internal.Format.ListViewEntry"
outOfBand="False"
writeErrorStream="False"

What am I doing wrong?

Thanks in advance for any help or suggestions.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

I think the problem is with your Format-List.
Try using a Select-Object instead

Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum

View solution in original post

Path Finder

Thanks for starting this thread. I have also been thinking about implementing this along with some other queries.

May I add some suggestions
1. Don't use Get-WmiObject -Class Win32_Product as it will generate hundreds of events (1035) in the application log.
2. The query does not return all the installed software on a 64bit system.

Below is some PowerShell code that does not generate 1035 events and gets 64&32bit programs.

$s64=Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*
$s32=Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*
$s = $s32+$s64
$applist = $s | Where-Object {$_.DisplayName -ne $Null}`
    | Where-Object {$_.DisplayName -like "*$Software*"} | Sort-Object DisplayName

Make Key Value Pairs for easy processing in Splunk by adding the following. We used this in our .ps1 files.

foreach ($app in $applist) {
$s= " DisplayName=`""+$app.DisplayName+"`"" `
+" Publisher=`""+$app.Publisher+"`"" `
+" DisplayVersion=`""+$app.DisplayVersion+"`"" `
+" InstallDate=`""+$app.InstallDate+"`""
Write-Host $s
}
0 Karma

SplunkTrust
SplunkTrust

Just a minor comment to your post above. Either escape the backslashes or include the code within a code sample block

0 Karma

SplunkTrust
SplunkTrust

I think the problem is with your Format-List.
Try using a Select-Object instead

Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum

View solution in original post

SplunkTrust
SplunkTrust

Also, given how small your script is, is there any reason you don't want to include that straight in the inputs file, that is:

[powershell://installedapps]
script = Get-WmiObject -Class Win32_Product | Select-Object Name, InstallDate, InstallLocation, PackageCache, Vendor, Version, IdentifyingNum
index = windows
interval = 0 /5 ? ? *
sourcetype = powershell:installedapps
disabled = false
0 Karma

Path Finder

In this example - what is the purpose of using the question mark instead of the asterisk in the interval definition ?

interval = 0 /5 ? ? *

Secondly, the inputs.conf.spec says this should be declared with a "schedule"

schedule = <schedule>
*A cron schedule for executing the script. If blank, the script will only execute once.

Does that mean that "interval" and "schedule" can be used interchangeably for the powershell input stanza type ?

0 Karma

Explorer

Thanks Javiergn,

That worked! I'm not a big powershell user, so I appreciate the help.

And to your second point. No. I had tried both, but with your feedback will revert to the configuration outlined in your follow up post.

Many thanks!

Andrew

0 Karma