Getting Data In

Powershell Scripted Input not getting ingested to splunk

jmmontejo
Explorer

Hello,

Please help me identify my issue maybe I'm missing something I don't see.

I created simple powershell script to get data from Certificate Authority server (using certutil command) then package as a splunk application.

After I deployed the app in CA server with Splunk installed, then executed the script manually from powershell ISE, I can see I have an output from console. But during scheduled execution, there's no data in my index. No error in internal logs so I can't identify where is the issue. Any feedback will help. thanks.

Also I already tried other workaround in other thread, still didn't work. (like using .path file, powershell stanza etc..)

 

My .bat file

@ECHO OFF

Powershell.exe -executionpolicy remotesigned -File "%~dpn0.ps1"

inputs.conf

[script://.\bin\scripts\get_ca_issued_certs.bat]
disabled = 0
index = cert_authority_idx
sourcetype = ca_issued_certs
interval = 300

Internal logs:


5:41:24.397 AM
 
02-22-2023 05:41:24.397 -0800 INFO ExecProcessor [6372 ExecProcessor] - New scheduled exec process: "C:\Program Files\Splunk\etc\apps\cert_authority_win_uf\bin\scripts\get_ca_issued_certs.bat"

 

Output when manually executed.

Date=2023-02-22_06:02:00_-08:00,object=Cert Authority,counter=Issued Certs Expiry,RequestID=4,RequesterName=NT AUTHORI
TY\IUSR,SerialNumber=2a0000000455e56fc1482ef85f000000000004,NotAfter=2/21/2024 7:37 AM,Value=364

Date=2023-02-22_06:02:00_-08:00,object=Cert Authority,counter=Issued Certs Expiry,RequestID=5,RequesterName=NT AUTHORI
TY\IUSR,SerialNumber=2a000000052914506fdbd37f24000000000005,NotAfter=2/21/2024 7:39 AM,Value=364

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...