All Apps and Add-ons

Why am I getting FormatException error when running a script?

loganmc10
New Member

I am trying to run the following script (I have tried as a .ps1, and putting it directly in inputs.conf)

Get-WmiObject -class win32_service | Select-Object Name,Status,PathName,StartMode,DisplayName,StartName,Started,State

I get this error:

PowerShell FormatException in Stanza powershell2://Service-Info: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.

This is inputs.conf

[powershell2://Service-Info]
script = . "$SplunkHome\etc\apps\SA-ModularInput-PowerShell\bin\Service_Info.ps1"
schedule = 0 */10 * ? * *
sourcetype = Windows:Services

I have other scripts that run fine, this is the only one throwing this error

0 Karma

jbennett_splunk
Splunk Employee
Splunk Employee

What version of the addon? (current is 1.2.0, you can check in the splunk UI or in it's default/app.conf)

What version of Windows? (are you running PowerShell2 because you don't have anything newer?)

The only way I can replicate your problem is with the debug build of our PowerShell2 host (not sure how you would have gotten that, but it would certainly be a mistake). If you can run PowerShell 3 or higher, you can switch the stanza to [powershell://Service-Info] and the problem should go away 😉

As far as the possibility that you have debug bits, are you also getting output like any of these lines?

Modular PowerShell Initialized Successfully: 1 Jobs Loaded
Scheduler Started. Scheduling 1 Jobs
Scheduled 1 Jobs Successfully
Execute Stanza: powershell2://Service-Info

You could check if you have the debug build by just running it in a console window. If you run it and it outputs "PowerShell2" then it has the debug bit set, and I'm pretty sure you should just re-download from apps. (Note: After you run it, you'll have to kill it with Ctrl+C, because otherwise it's sitting there waiting for input from splunk).

0 Karma

loganmc10
New Member

We are running version 1.2.0
They are Windows 2008 R2 machines, I tried the Powershell stanza and it didn't work (gave all kinds of errors), so I assume the machines don't have Version 3. I did a "$psversiontable.psversion" as suggested in the docs, and it came back with Version 2.

Below is the full output from powershell2.log

Debug 2014-12-04T17:52:41.4701424Z PowerShell2 --scheme
Debug 2014-12-04T17:52:43.4053359Z PowerShell2 
Info 2014-12-04T17:52:43.8583812Z Modular PowerShell Initialized Successfully: 7 Jobs Loaded
Debug 2014-12-04T17:52:44.2864240Z Scheduler Started. Scheduling 7 Jobs
Debug 2014-12-04T17:52:44.4104364Z Scheduled 7 Jobs Successfully
Debug 2014-12-04T18:00:00.4590369Z Execute Stanza: powershell2://Service-Info
Error 2014-12-04T18:00:01.3511261Z PowerShell FormatException in Stanza powershell2://Service-Info: Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...