All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for Microsoft System Center Operations Manager: Why is the add-on not writing data to index?

DolEgon22
New Member
‎03-07-2017 08:43 AM

Hi all,

I have setup the Splunk Add-on for Microsoft System Center Operations Manager (SCOM) and have successfully setup a performance input from SCOM and can see in the ta_scom.log that the PowerShell scripts are getting the objects. However, nothing is written to the index. In fact, I don't see the add-on sourcetypes at all ("microsoft:scom:*")

I've exhausted all the log files I can think of to look in for clues as to why the data never makes it into the index, but so far have come up empty. Any ideas as to what I'm missing or where else I can look to troubleshoot the issue?

Thanks in advance!

0 Karma
Reply

DolEgon22
New Member
‎03-21-2017 07:05 AM

I found that the PowerShell scripts that are running for the Splunk Add-on for Microsoft Active Directory were causing some issue, not allowing the PowerShell scripts for the Splunk Add-on for SCOM to complete, so no data was getting into the index.

Steps I used to discover the issue (nothing in the logging provided a clue):

  1. Saw that the PowerShell process on the server was consuming a LOT of memory and not releasing any.
  2. Using Process Explorer, I found the command line that Splunk uses to launch the PowerShell scripts. It writes a temp file with the parameters and passes it to PowerShell.
  3. I cracked open the temp file and saw that before the SCOM-related PS scripts were run, a bunch of AD-related PS scripts were executed.
  4. I disabled the Splunk Add-on for Microsoft Active Directory.
  5. Data from SCOM began populating the index.

However, some add-ons/apps require the Splunk Add-on for Microsoft Active Directory. When I re-enabled it, the data from SCOM stopped being written again. Can anyone elaborate why this would be the case?

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-21-2017 06:33 PM

@DolEgon22 - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers/comments, then you don't have to take action on it yet.

0 Karma
Reply

DolEgon22
New Member
‎03-22-2017 04:17 AM

The details of the root cause have yet to be uncovered. I'll keep it open a little longer in case someone has some insight on the issue. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...