Getting Data In

How to keep powershell process alive

patrickyoko
Engager

Hello,

I've created a Powershell script that I use to monitor a folder.

It all works how it's suppose to work, but the problem is when I deploy it as an Splunk App, it starts the Script but doesn't keep the powershell process alive.

Here are the input.conf en .path files I've used.

inputs.conf
[script://$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.path]
disable=false
interval=-1  
index=winlogs

FolderMonitor.path
$Systemroot\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -Command " & '$SPLUNK_HOME\etc\apps\TA_TEST\bin\FolderMonitor.ps1'"

I've tried several things

Changing the .path file to powershell.exe -noexit -noprofile -executionpolicy bypass -Command, but that didn't work at least not when it's deployed by Splunk if I put that directly in Command Prompt it does work.

Changing the interval from -1 to 0 but that just started a new powershell process, and I need the original process to be kept alive.
Any tips or help would be grealy appreciated.

With kind regards,
Patrick

0 Karma
1 Solution

patrickyoko
Engager

I've solved the problem by doing the following.

The first script is creating a dirlist and at the end of the script I'm calling Start-Process powershell.exe "-NoExit . .\FileMonitor.ps1"

That way the file monitor is being runned as SYSTEM and outside of Splunk.

View solution in original post

0 Karma

patrickyoko
Engager

I've solved the problem by doing the following.

The first script is creating a dirlist and at the end of the script I'm calling Start-Process powershell.exe "-NoExit . .\FileMonitor.ps1"

That way the file monitor is being runned as SYSTEM and outside of Splunk.

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @patrickyoko ,

I'm surprised you needed to do this, to be honest. I just tested and using interval = -1 seemed to work for me. What version of Splunk is this?

Also, FWIW, for PowerShell scripts you can use the native PowerShell modular input by means of powershell:// stanzas.

Hope this helps.

Cheers,

- Jo.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...