Getting Data In

Getting data from prowershell script

aNamee
Explorer

Hello,

I am having some trouble getting data into Splunk from a powershell script.
The script is a Nagios script called "Check Windows Updates using Powershell", and returning the current status of the Windows Update software using the standard output "Write-Host".
My problem is that the script does not seem to run when intended.
I added my check_windows_updates.ps1 script via the "Add data" wizard, but it does not seem to run.
I also added an other .bat script containing the following :

@echo off
powershell check_windows_updates.ps1

But it does not seem to run either, as I do not get any data from those two scipts inputs.

Thanks in advance for your help!

EDIT: I have .Net 4.7 and Powershell 3.0 installed on my windows server

0 Karma
1 Solution

rjthibod
Champion

You are not correctly using the powershell script. You need to bundle the Powershell script as a scripted input/add-on, and then tell inputs.conf to invoke the powershell script.

Here are some reference links
https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

Note, when I have done Powershell scripts as inputs, I have always used a .path file approach as shown in the first link. I have never used the Splunk Powershell Add-on. Just my experience.

View solution in original post

rjthibod
Champion

You are not correctly using the powershell script. You need to bundle the Powershell script as a scripted input/add-on, and then tell inputs.conf to invoke the powershell script.

Here are some reference links
https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

Note, when I have done Powershell scripts as inputs, I have always used a .path file approach as shown in the first link. I have never used the Splunk Powershell Add-on. Just my experience.

aNamee
Explorer

Thanks for your answer!!
I solved this problem setting up my script as a Powershell 3 modular input instead of setting it as a standard input script, with Script path like . "$SplunkHome\..." , not from C:\ and with CRON formatted Schedule.
Also I changed "Write-Host" to "Write-Output" in script.

aNamee
Explorer

A .path could have been good too if I wasn't on Splunk 7 but on a version 6.2 or lower, where Powershell isn't supported natively. I find it easier to configure all via GUI than by editing config files in FS.

0 Karma

aNamee
Explorer

FYI, I am on Splunk 7.

0 Karma

aNamee
Explorer

Did any of you ever ran a powershell script as a Splunk input?
Or has any other alternatives in order to get Windows Update's status?

EDIT : I gave a try to Splunk App for Windows, but unfortunately it does not monitor what I need. I would like to monitor the number of updates Windows has retrieved before the installation, but Splunk App for Windows only enables me to review the status of Windows' past updates

Thanks

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...