Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why my PowerShell scripted input is not being run?

mark19632
New Member
‎12-17-2015 06:01 AM

I've set up a new scripted input using powershell as follows:

Inputs.conf:

[script://$SPLUNK_HOME\bin\scripts\RESENDREQUEST.path]
source = RESENDREQUESTLOG
sourcetype = RESENDREQUESTLOG
interval = 10
disabled = 0

Created RESENDREQUEST.path in $SPLUNK_HOME\bin\scripts:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"

Now, powershell isn't being run and I see no errors in the splunkd.log file.

Any ideas?

Thanks!

Mark

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:19 AM

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:19 AM

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

Reply
Solved! Jump to solution

youngsuh
Contributor
‎01-04-2024 08:26 AM

Monitor Windows data with PowerShell scripts - Splunk Documentation

 

Here is the update link to docs.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

mark19632
New Member
‎12-17-2015 01:26 PM

So it does!

All working now and much simpler.

Thanks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎12-18-2015 02:57 AM

That's great news.
If you are happy with the answer then could you mark is as "answered" so that others can benefit from it?

Thanks,
J

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-18-2015 04:00 AM

He could mark it as the answer, but he might want to change his question if so.

I gave steps on troubleshooting powershell, you hit the nail on the head as to his root issue. The question doesnt mention latest Splunk.

Good to know it has native support now!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-17-2015 07:05 AM

You can use some tools such as runas.exe or psexec.exe to run the same powershell command as the user splunk is running as to see what happens.

You may be running into an issue related to the execution policy of the machine you're on. See Get-ExecutionPolicy and Set-ExecutionPolicy.

runas.exe and psexec are console apps, so you can execute them at command prompt. Open a command prompt with administrative rights on the Universal Forwarder and try the following:

If splunk is running as system user, do this:

 psexec -i -s '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If splunk is running as another user, do this:

runas /noprofile /env /user:domain\username '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If it runs remote connections as it appears it does... you probably want to add /netonly to the runas

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...