Getting Data In

How to troubleshoot why my PowerShell scripted input is not being run?

mark19632
New Member

I've set up a new scripted input using powershell as follows:

Inputs.conf:

[script://$SPLUNK_HOME\bin\scripts\RESENDREQUEST.path]
source = RESENDREQUESTLOG
sourcetype = RESENDREQUESTLOG
interval = 10
disabled = 0

Created RESENDREQUEST.path in $SPLUNK_HOME\bin\scripts:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"

Now, powershell isn't being run and I see no errors in the splunkd.log file.

Any ideas?

Thanks!

Mark

0 Karma
1 Solution

javiergn
Super Champion

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

View solution in original post

javiergn
Super Champion

If you are running 6.3 PowerShell is supported natively:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts

If not I would probably go and install the PowerShell add-on:
https://splunkbase.splunk.com/app/1477/

If you can't (or don't want) to install the add-on, then double check paths and quotes in your scripts as this is usually the most common source of error. See this other post.

Thanks,
J

youngsuh
Contributor
0 Karma

mark19632
New Member

So it does!

All working now and much simpler.

Thanks!

0 Karma

javiergn
Super Champion

That's great news.
If you are happy with the answer then could you mark is as "answered" so that others can benefit from it?

Thanks,
J

0 Karma

jkat54
SplunkTrust
SplunkTrust

He could mark it as the answer, but he might want to change his question if so.

I gave steps on troubleshooting powershell, you hit the nail on the head as to his root issue. The question doesnt mention latest Splunk.

Good to know it has native support now!

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can use some tools such as runas.exe or psexec.exe to run the same powershell command as the user splunk is running as to see what happens.

You may be running into an issue related to the execution policy of the machine you're on. See Get-ExecutionPolicy and Set-ExecutionPolicy.

runas.exe and psexec are console apps, so you can execute them at command prompt. Open a command prompt with administrative rights on the Universal Forwarder and try the following:

If splunk is running as system user, do this:

 psexec -i -s '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If splunk is running as another user, do this:

runas /noprofile /env /user:domain\username '"%SystemRoot%\System32\Windows\PowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\bin\scripts\RESENDREQUEST.ps1"'

If it runs remote connections as it appears it does... you probably want to add /netonly to the runas

Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...