Getting Data In

FormatMessage was unable to decode error (193), (0xc1)

venkateshparank
Path Finder

10-07-2019 13:33:23.696 -0700 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\test\bin\abc.ps1"": FormatMessage was unable to decode error (193), (0xc1)

0 Karma

whrg
Motivator

I just had the same error message:

 

04-20-2021 10:31:06.770 +0200 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\myscript.ps1"": FormatMessage was unable to decode error (193), (0xc1)

 

I had a deployment app which consisted of a ps1 file and this inputs.conf:

 

[script://.\bin\myscript.ps1]
index = myindex
schedule = */15 * * * *
crcSalt = <SOURCE>

 

I could not find out why this error message appeared.

However, I found this article: https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

I removed the ps1 file and created this inputs.conf instead:

 

[powershell://MyPSInput01]
index = myindex
script = Get-ADDomainController -Filter * | Select-Object -Property Domain,Name,HostName,IPv4Address,OperatingSystem,Enabled
schedule = */15 * * * *
crcSalt = <SOURCE>

 

This solved my issue.

I don't know if this works for more complex scripts than my one-liner.

Using the powershell input works surprisingly well: Before that I used "ConvertTo-Csv" as part of the PowerShell command to convert the PowerShell output to CSV before indexing. Using the powershell input, I do not need to specify the sourcetype and Splunk handles the log format automatically.

0 Karma

pruthvikrishnap
Contributor

Hi Venkat,

With the description provided there is not much i can help with, but below are few accepted answers which could be of use.

https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://answers.splunk.com/answers/1775/powershell-script-is-throwing-off-error-message-what-does-it...

Add some more context so we can discuss further on the issue

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!