Getting Data In

After upgrading my indexer and search head to Splunk 6.3, why is the search peer reporting a Powershell script exited abnormally

I just updated my Splunk indexer and search head to version 6.3, and now I keep getting this error:

Search peer has the following message: msg="A script exited abnormally" input="C:\Program Files\Splunk\bin\splunk-powershell.exe" stanza="default" status="exited with code 1"

Any idea?

I have 1 index and 1 search head on a Windows 2008 R2 box.

Explorer

Seems to be a bug. SOLNESS-7880 has been submitted.

I was told to do the following to suppress the errors:

$SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf:
[configuration_check://confcheck_script_errors]
suppress = ((streamfwd|splunk- (wmi.path|MonitorNoHandle.exe|winevtlog.exe|netmon.exe|perfmon.exe|regmon.exe|winprintmon.exe|admon.exe)).*exited with code 1)

You will have to restart the instance.

New Member

Any updates on this bug? Have issue even after adding the above mentioned inputs.

0 Karma

Path Finder

I had a ticket open with support. They instructed me to disable the message flow either by doing the above, or doing the equivalent from the web UI. It is a known bug, as also mentioned here.

In my case, the messages were not due to any real error on my end. Something in one of the scripts was tripping up the message because the result output was 1, and therefore triggered the message warning. If you are worried about whats actually going on with your particular system, have a look in your splunkd.log file, its how we were able to determine when and why.

TL;DR look at your logs and do the above stated suppression for the executable. It will be addressed in a future update.

0 Karma

Engager

Just got this ourselves on an ES deployment. Will use the workaround for now. Thanks for posting!

0 Karma

I have a case open with splunk and they said to do the same thing. ES is doing a check of all the scripted inputs - and it's not running that one correctly for some reason.

I am afraid if I suppress this alert its going to come back and hurt me in the future.

0 Karma

Communicator

Hello Splunkers - i am getting the same error message. Please suggest something if you have faced and resolved this issue before.

0 Karma

Path Finder

I also have this issue after upgrading from 6.2.4. I have a couple more machines running Enterprise, but I'm getting two messages.. one for splunk-powershell.exe and another with argument --ps2. Both have the same stanza and status message as OP.

0 Karma

Explorer

I have the same issues after upgrading to 6.3 on Windows. Although, I don't get the "Search peer" condition.

configuration_check.log:2015-10-10 15:00:03,690 ERROR pid=14712 tid=MainThread file=configuration_check.py:run:160 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input="D:\Program Files\Splunk\bin\splunk-powershell.exe" stanza="default" status="exited with code 1""
configuration_check.log:2015-10-10 15:00:03,767 ERROR pid=14712 tid=MainThread file=configuration_check.py:run:160 | status="completed" task="confcheck_script_errors" message="msg="A script exited abnormally" input="D:\Program Files\Splunk\bin\splunk-powershell.exe --ps2" stanza="default" status="exited with code 1""
0 Karma