- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to resole this: FormatMessage was unable to de...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to resole this: FormatMessage was unable to decode error (193), (0xc1)?
10-07-2019 13:33:23.696 -0700 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\test\bin\abc.ps1"": FormatMessage was unable to decode error (193), (0xc1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just had the same error message:
04-20-2021 10:31:06.770 +0200 ERROR ExecProcessor - Couldn't start command ""C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\myscript.ps1"": FormatMessage was unable to decode error (193), (0xc1)
I had a deployment app which consisted of a ps1 file and this inputs.conf:
[script://.\bin\myscript.ps1]
index = myindex
schedule = */15 * * * *
crcSalt = <SOURCE>
I could not find out why this error message appeared.
However, I found this article: https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts
I removed the ps1 file and created this inputs.conf instead:
[powershell://MyPSInput01]
index = myindex
script = Get-ADDomainController -Filter * | Select-Object -Property Domain,Name,HostName,IPv4Address,OperatingSystem,Enabled
schedule = */15 * * * *
crcSalt = <SOURCE>
This solved my issue.
I don't know if this works for more complex scripts than my one-liner.
Using the powershell input works surprisingly well: Before that I used "ConvertTo-Csv" as part of the PowerShell command to convert the PowerShell output to CSV before indexing. Using the powershell input, I do not need to specify the sourcetype and Splunk handles the log format automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For convenience, building on top of the previous response regarding the one-liner:
The following is an example from the Monitor Windows data with PowerShell scripts - Splunk Documentation which allows for a multiline script using the [powershell] rather than [script] stanza
[powershell://MSExchange_Health]
script=. $SplunkHome/etc/apps/TA-Exchange-2010/powershell/health.ps1Testing this at the moment with a custom PS script but doesn't fill me with supreme confidence when the official example references TA-Exchange-2010.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Venkat,
With the description provided there is not much i can help with, but below are few accepted answers which could be of use.
https://answers.splunk.com/answers/334729/how-to-troubleshoot-why-my-powershell-scripted-inp.html
https://answers.splunk.com/answers/1775/powershell-script-is-throwing-off-error-message-what-does-it...
Add some more context so we can discuss further on the issue
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
