Getting Data In

How to resole this: FormatMessage was unable to decode error (193), (0xc1)?

venkateshparank
Path Finder

10-07-2019 13:33:23.696 -0700 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\test\bin\abc.ps1"": FormatMessage was unable to decode error (193), (0xc1)

Labels (1)
0 Karma

whrg
Motivator

I just had the same error message:

 

04-20-2021 10:31:06.770 +0200 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\myscript.ps1"": FormatMessage was unable to decode error (193), (0xc1)

 

I had a deployment app which consisted of a ps1 file and this inputs.conf:

 

[script://.\bin\myscript.ps1]
index = myindex
schedule = */15 * * * *
crcSalt = <SOURCE>

 

I could not find out why this error message appeared.

However, I found this article: https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts

I removed the ps1 file and created this inputs.conf instead:

 

[powershell://MyPSInput01]
index = myindex
script = Get-ADDomainController -Filter * | Select-Object -Property Domain,Name,HostName,IPv4Address,OperatingSystem,Enabled
schedule = */15 * * * *
crcSalt = <SOURCE>

 

This solved my issue.

I don't know if this works for more complex scripts than my one-liner.

Using the powershell input works surprisingly well: Before that I used "ConvertTo-Csv" as part of the PowerShell command to convert the PowerShell output to CSV before indexing. Using the powershell input, I do not need to specify the sourcetype and Splunk handles the log format automatically.

0 Karma

rivium_ro_mc
Explorer

For convenience, building on top of the previous response regarding the one-liner:

The following is an example from the Monitor Windows data with PowerShell scripts - Splunk Documentation which allows for a multiline script using the [powershell] rather than [script] stanza

   [powershell://MSExchange_Health]
    script=. $SplunkHome/etc/apps/TA-Exchange-2010/powershell/health.ps1

Testing this at the moment with a custom PS script but doesn't fill me with supreme confidence when the official example references TA-Exchange-2010.

0 Karma

pruthvikrishnap
Contributor

Hi Venkat,

With the description provided there is not much i can help with, but below are few accepted answers which could be of use.

https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://answers.splunk.com/answers/1775/powershell-script-is-throwing-off-error-message-what-does-it...

Add some more context so we can discuss further on the issue

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...