Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run basic PowerShell script on universal forwarder

manderson_rr
Explorer
‎11-21-2019 01:19 PM

I'm trying to do something very simple but for some reason I can not get it to work. I'm trying to run the basic PowerShell command below on a universal forwarder (on a Windows 10 workstation) but the output is not going to Splunk.

One question I have is what sourcetype should I be using? Each PowerShell command will have a different output...so do I need to have a sourcetype for each command I run?
(And I have read the article but its just not clicking for me https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts)

Key points:
*Workstation is connected to the deployment server
*I am using a very basic custom add-on app that host the PowerShell command
*Custom Add-on app info
2 directories -> local and metadata. The local folder has two files: app.conf and inputs.conf (which is below).

[powershell://test-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = **system is not showing this correctly but it polls every minute**
sourcetype = Windows:Process
Reply

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-21-2019 02:40 PM

Hi @manderson_rr,

What is schedule set to exactly?

Also, what version is the UF?

Cheers,

- Jo.

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 09:02 AM 
[powershell://manderson-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = 0 */1 * * *
sourcetype = Windows:Process

UF --> 7.3.1.1

0 Karma
Reply

woodcock
Esteemed Legend
‎11-21-2019 01:56 PM

Yes, each type of data should has its own sourcetype.
Be aware that Powershell is not packaged with UF, it must be installed to Windows.
Your script line look fishy...

0 Karma
Reply

manderson_rr
Explorer
‎11-21-2019 02:03 PM

What's wrong with the script? It's almost exactly the example they used in their documentation

[powershell://Processes-EX1]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}}
schedule = 0 */5 * * *
sourcetype = Windows:Process

0 Karma
Reply

nikita_p
Contributor
‎11-21-2019 09:09 PM

Hi manderson_rr,
Your schedule in inputs.conf should be in a cron format. Like if you want the script to run for every 5 minutes your schedule should be equal to the examples in the link below:
https://www.thegeekstuff.com/2011/07/cron-every-5-minutes/

Also you can add index in your inputs.conf if you want a separate index for the processes you are monitoring.
And if you are adding a custom index don't forget to create this custom index on search head as well.

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 08:52 AM

My schedule looks like this: * */1 * * *

@woodcock Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

0 Karma
Reply

woodcock
Esteemed Legend
‎11-22-2019 09:18 AM

Yes, I retract my comment on the fishiness of the script line; I don't do much powersehelling...

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 09:33 AM

@woodcock no worries. I thought using PowerShell would be more common but I'm finding not many customers use it with their UF.

0 Karma
Reply

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-22-2019 12:44 PM

Hi @manderson_rr,

Ah yes, unfortunately some of the example schedules are incorrect. How often would you like it to run? Here's a handy site: https://crontab.guru/

I can confirm that a number of customer are using the PowerShell modular input successfully. O&;)

Cheers,

- Jo.

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 12:47 PM

@jhornsby_splunk For now, I would like to run every minute.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-22-2019 12:56 PM

Then use * * * * * but I think that is crazy....

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 12:59 PM

I would only use that example for 5-10 minutes, so I can troubleshoot and/or verify the output is being ingested. It will run every 60 minutes once it actually works.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-22-2019 01:26 PM

That's OK then.

0 Karma
Reply

jhornsby_splunk
Splunk Employee
Splunk Employee
‎11-22-2019 01:07 PM

Hi @manderson_rr,

For maximum debugging, you can change $logDebug to $true in splunk-powershell.ps1, which affects splunk-powershell.ps1.log. And you can also change ExecProcessor (in log.cfg) and splunk-powershell (in log-cmdline.cfg) to DEBUG, which affects splunkd.log. You will need to restart the UF for the changes to take effect. Maybe one of these logs will provide some clues as to what is going wrong.

Cheers,

- Jo.

Reply

woodcock
Esteemed Legend
‎11-21-2019 02:28 PM

Link to dox?

0 Karma
Reply

manderson_rr
Explorer
‎11-22-2019 09:00 AM

Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top