Getting Data In

Is it possible to create a command that launches a powershell script?

ng87
Path Finder

We currently have a PowerShell script that queries one of our EDR solutions and returns all data for the specified host.
Essentially format is like a powershell.exe script.ps1 -Host HostA
I was hoping it might be possible to incorporate this script into Splunk so we can do this from within Splunk unlike at the moment where we always have PowerShell window open.
Is what I want, possible? I have come across a number of articles for PowerShell/Splunk but they all seem to be set as 'data inputs' ( run the same script every few hours ) whereas my use case is slightly different.

If its possible do you have any links or can you point me in the right direction?

0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

What you are looking for is a custom search command. I have not done it, but it should be possible to wrap your PowerShell script invocation in a Python script that is invokable via this mechanism. Maybe this thread holds some more details for you.

View solution in original post

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

What you are looking for is a custom search command. I have not done it, but it should be possible to wrap your PowerShell script invocation in a Python script that is invokable via this mechanism. Maybe this thread holds some more details for you.

0 Karma

ng87
Path Finder

so you don't think its possible to run the powershell command directly ? ( rather than having to 'wrap' it in python?)

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Re-reading your question, I am wondering if this is what you really want. Maybe you can clarify exactly what you would like to do with the data that the script pulls? Do you want each event in your initial result set to be enriched with all the fields that your script returns for a host? If so, that's probably more suited for an automatic external lookup and you are back to a (simple) Python wrapper for your powershell script.

If you just want to pull the information on request by a user, you can consider a workflow action, where a user clicks on a specific event and the workflow actions obtains the data from another system. For that to work, you would have to have an HTTP service available to query.

In any case, it depends on your use case. Apologies if I initially misunderstood.

0 Karma

ng87
Path Finder

Essentially i am building an inhouse splunk app for a few bits and pieces ( partially to help users and partially for me to learn more about splunk ) .
Anyway currently i have created a 'page' inside the app with just a textbox and submit button where the users enter an IP address , then the search goes through a csv and returns host details.

Essentially i wanted to replicate that but for the EDR solution , so basic 'page' with a textbox and submit button where users can enter a hostname and when they click the submit button our powershell script ( with some modification im assuming ) goes fetches the results and just displays them .

PS forgot to note that each page obviously has a event/stats panel to show results.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Is Powershell the only way you can interact with your EDR solution? No HTTP/REST? No RDBMS query?

0 Karma

ng87
Path Finder

It's possibly to use HTTP/REST but i have decided to try and go down the 'wrapper' route with python, thanks so much for your help.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

No worries, let us know how it works out!

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Maybe, but I hate to say "it works" given that I haven't tried it myself. Based on our documentation here, you should be able to invoke anything with an extension of .bat, .cmd, .py, .js or .exe natively.

The same link also states that if the "[...] executable file has no extension, or the file extension is not recognized"... "The Splunk software attempts to run the executable directly, without an interpreter."

So you could try to configure powershell.exe as your executable, and your specific ps file as a command argument (command.arg.1).

Alternatively, try to configure your ps file name directly and see if the OS does the right thing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...