Getting Data In

How to configure scripted inputs and check if they are running?

slashnburn
Path Finder

I have followed some documentation on adding inputs to from scripts, and have the following:

  1. A batch script, which calls my powershell script (running the batch scripts executes the powershell script properly)
  2. .path file located in myapp\bin

    $SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe "D:\Program Files\etc\apps\myapp\bin\mypsscript.ps1"
    
  3. app.conf file located in myapp\default with stanza

    [script://D:\Program Files\etc\apps\myapp\bin\mypathfile.path]
    interval = 50
    source = mypsscript.ps1
    

However, I am not sure how to know whether or not this script is actually running. I don't think it is, because if I search for that source, it doesn't have any results. Is this configured properly? How do I ensure the script kicks off? Do I need to do anything else?

Tags (3)
0 Karma
1 Solution

slashnburn
Path Finder

I fixed the problem. To summarize:

  • I removed the batch script, because the .path file essentially does the same thing.
  • I placed the call to the .path file in the input.config file with the parameters I had listed.
  • I placed the .ps1 file and the .path file in the $SPLUNK_HOME\bin\scripts.

Once I realized that the .path file is essentially a one line batch script, I was able to make the call to powershell (must use an explicit path) and then issue the command. Once I knew everything was in the right place, I figured out that I had to include "-file" before making the call to the .ps1 file.

View solution in original post

0 Karma

slashnburn
Path Finder

I fixed the problem. To summarize:

  • I removed the batch script, because the .path file essentially does the same thing.
  • I placed the call to the .path file in the input.config file with the parameters I had listed.
  • I placed the .ps1 file and the .path file in the $SPLUNK_HOME\bin\scripts.

Once I realized that the .path file is essentially a one line batch script, I was able to make the call to powershell (must use an explicit path) and then issue the command. Once I knew everything was in the right place, I figured out that I had to include "-file" before making the call to the .ps1 file.

0 Karma

strive
Influencer

I think your script is disabled. Try explicitly setting disabled = 0

[script://.binmypathfile.path]
interval = 50
source = mypsscript.ps
disabled = 0

disabled = false also should work.

You need to restart after making this change

0 Karma

slashnburn
Path Finder

Actually, after looking, I had this stanza in input.conf:

[script://.\bin\mypathfile.path]
interval = 50
source = mypsscript.ps

0 Karma

slashnburn
Path Finder

how do I then get the script to run?

0 Karma

MuS
Legend

your script stanza should be inside inputs.conf not app.conf

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...