Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why my PowerShell scripted input is not being run?

mark19632
New Member
‎12-17-2015 06:01 AM

I've set up a new scripted input using powershell as follows:

Inputs.conf:

[script://$SPLUNK_HOME\bin\scripts\RESENDREQUEST.path]
source = RESENDREQUESTLOG
sourcetype = RESENDREQUESTLOG
interval = 10
disabled = 0

Created RESENDREQUEST.path in $SPLUNK_HOME\bin\scripts:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"

Now, powershell isn't being run and I see no errors in the splunkd.log file.

Any ideas?

Thanks!

Mark

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:19 AM

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎12-17-2015 08:19 AM

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

Reply
Solved! Jump to solution

youngsuh
Contributor
‎01-04-2024 08:26 AM

Monitor Windows data with PowerShell scripts - Splunk Documentation

 

Here is the update link to docs.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

mark19632
New Member
‎12-17-2015 01:26 PM

So it does!

All working now and much simpler.

Thanks!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎12-18-2015 02:57 AM

That's great news.
If you are happy with the answer then could you mark is as "answered" so that others can benefit from it?

Thanks,
J

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-18-2015 04:00 AM

He could mark it as the answer, but he might want to change his question if so.

I gave steps on troubleshooting powershell, you hit the nail on the head as to his root issue. The question doesnt mention latest Splunk.

Good to know it has native support now!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-17-2015 07:05 AM

You can use some tools such as runas.exe or psexec.exe to run the same powershell command as the user splunk is running as to see what happens.

You may be running into an issue related to the execution policy of the machine you're on. See Get-ExecutionPolicy and Set-ExecutionPolicy.

runas.exe and psexec are console apps, so you can execute them at command prompt. Open a command prompt with administrative rights on the Universal Forwarder and try the following:

If splunk is running as system user, do this:

 psexec -i -s '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If splunk is running as another user, do this:

runas /noprofile /env /user:domain\username '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If it runs remote connections as it appears it does... you probably want to add /netonly to the runas

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...