Getting Data In

How to run basic PowerShell script on universal forwarder

Explorer

I'm trying to do something very simple but for some reason I can not get it to work. I'm trying to run the basic PowerShell command below on a universal forwarder (on a Windows 10 workstation) but the output is not going to Splunk.

One question I have is what sourcetype should I be using? Each PowerShell command will have a different output...so do I need to have a sourcetype for each command I run?
(And I have read the article but its just not clicking for me https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts)

Key points:
*Workstation is connected to the deployment server
*I am using a very basic custom add-on app that host the PowerShell command
*Custom Add-on app info
2 directories -> local and metadata. The local folder has two files: app.conf and inputs.conf (which is below).

[powershell://test-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = **system is not showing this correctly but it polls every minute**
sourcetype = Windows:Process

Splunk Employee
Splunk Employee

Hi @manderson_rr,

What is schedule set to exactly?

Also, what version is the UF?

Cheers,

- Jo.

0 Karma

Explorer
[powershell://manderson-script]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName -Last 5
schedule = 0 */1 * * *
sourcetype = Windows:Process

UF --> 7.3.1.1

0 Karma

Esteemed Legend

Yes, each type of data should has its own sourcetype.
Be aware that Powershell is not packaged with UF, it must be installed to Windows.
Your script line look fishy...

0 Karma

Explorer

What's wrong with the script? It's almost exactly the example they used in their documentation

[powershell://Processes-EX1]
script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}}
schedule = 0 */5 * * *
sourcetype = Windows:Process

0 Karma

Contributor

Hi manderson_rr,
Your schedule in inputs.conf should be in a cron format. Like if you want the script to run for every 5 minutes your schedule should be equal to the examples in the link below:
https://www.thegeekstuff.com/2011/07/cron-every-5-minutes/

Also you can add index in your inputs.conf if you want a separate index for the processes you are monitoring.
And if you are adding a custom index don't forget to create this custom index on search head as well.

0 Karma

Explorer

My schedule looks like this: * */1 * * *

@woodcock Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

0 Karma

Esteemed Legend

Yes, I retract my comment on the fishiness of the script line; I don't do much powersehelling...

0 Karma

Explorer

@woodcock no worries. I thought using PowerShell would be more common but I'm finding not many customers use it with their UF.

0 Karma

Splunk Employee
Splunk Employee

Hi @manderson_rr,

Ah yes, unfortunately some of the example schedules are incorrect. How often would you like it to run? Here's a handy site: https://crontab.guru/

I can confirm that a number of customer are using the PowerShell modular input successfully. O&;)

Cheers,

- Jo.

0 Karma

Explorer

@jhornsby_splunk For now, I would like to run every minute.

0 Karma

Esteemed Legend

Then use * * * * * but I think that is crazy....

0 Karma

Explorer

I would only use that example for 5-10 minutes, so I can troubleshoot and/or verify the output is being ingested. It will run every 60 minutes once it actually works.

0 Karma

Esteemed Legend

That's OK then.

0 Karma

Splunk Employee
Splunk Employee

Hi @manderson_rr,

For maximum debugging, you can change $logDebug to $true in splunk-powershell.ps1, which affects splunk-powershell.ps1.log. And you can also change ExecProcessor (in log.cfg) and splunk-powershell (in log-cmdline.cfg) to DEBUG, which affects splunkd.log. You will need to restart the UF for the changes to take effect. Maybe one of these logs will provide some clues as to what is going wrong.

Cheers,

- Jo.

Esteemed Legend

Link to dox?

0 Karma

Explorer

Link: https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowsdatawithPowerShellscripts

Under PowerShell input configuration values >> Single command example

0 Karma