Getting Data In

How to configure scripted inputs and check if they are running?

slashnburn
Path Finder

I have followed some documentation on adding inputs to from scripts, and have the following:

  1. A batch script, which calls my powershell script (running the batch scripts executes the powershell script properly)
  2. .path file located in myapp\bin

    $SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe "D:\Program Files\etc\apps\myapp\bin\mypsscript.ps1"
    
  3. app.conf file located in myapp\default with stanza

    [script://D:\Program Files\etc\apps\myapp\bin\mypathfile.path]
    interval = 50
    source = mypsscript.ps1
    

However, I am not sure how to know whether or not this script is actually running. I don't think it is, because if I search for that source, it doesn't have any results. Is this configured properly? How do I ensure the script kicks off? Do I need to do anything else?

Tags (3)
0 Karma
1 Solution

slashnburn
Path Finder

I fixed the problem. To summarize:

  • I removed the batch script, because the .path file essentially does the same thing.
  • I placed the call to the .path file in the input.config file with the parameters I had listed.
  • I placed the .ps1 file and the .path file in the $SPLUNK_HOME\bin\scripts.

Once I realized that the .path file is essentially a one line batch script, I was able to make the call to powershell (must use an explicit path) and then issue the command. Once I knew everything was in the right place, I figured out that I had to include "-file" before making the call to the .ps1 file.

View solution in original post

0 Karma

slashnburn
Path Finder

I fixed the problem. To summarize:

  • I removed the batch script, because the .path file essentially does the same thing.
  • I placed the call to the .path file in the input.config file with the parameters I had listed.
  • I placed the .ps1 file and the .path file in the $SPLUNK_HOME\bin\scripts.

Once I realized that the .path file is essentially a one line batch script, I was able to make the call to powershell (must use an explicit path) and then issue the command. Once I knew everything was in the right place, I figured out that I had to include "-file" before making the call to the .ps1 file.

0 Karma

strive
Influencer

I think your script is disabled. Try explicitly setting disabled = 0

[script://.binmypathfile.path]
interval = 50
source = mypsscript.ps
disabled = 0

disabled = false also should work.

You need to restart after making this change

0 Karma

slashnburn
Path Finder

Actually, after looking, I had this stanza in input.conf:

[script://.\bin\mypathfile.path]
interval = 50
source = mypsscript.ps

0 Karma

slashnburn
Path Finder

how do I then get the script to run?

0 Karma

MuS
SplunkTrust
SplunkTrust

your script stanza should be inside inputs.conf not app.conf

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...