Getting Data In

Powershell input for Splunk universal forwarder - Windows Server

chimbudp
Contributor

I am just trying to create a dashboard which shows Windows System information (like Task Manager)

Powershell script:

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
    $Owner = Get-WmiObject -Class Win32_Process
} -Process {
    $ID = $_.Id
    New-Object -TypeName 'PSCustomObject' -Property @{
        'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
        'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
        'ProcessName' = $_.ProcessName
        'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
    } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}

Output of the script:

UserName               DomainName           ProcessName       MemoryUsed
---------              ----------           -----------       ----------
NETWORK SERVICE        NYYYY                chrome            6.61 MB
SYSTEM                 NYYYY                Explorer          17.80 MB
User1                  CCTTT                cmd               9.65 MB

The Script runs fine and Exeution-Policy are set to Remote-Signed

I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?

I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory

Inputs.conf

[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main

afamoyib
Path Finder

For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.

  • step 1 create a script and store it in a directory. For this example i will use C:\temp\bin\test.ps1
  • Step 2 create a path file(file.path). C:\temp\bin\testpath.path
  • Step 3 Store this in your path file . Store this in the path $SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " C:\temp\bin\test.ps1'"
  • Step 4 Create the inputs.conf file
0 Karma

halr9000
Motivator

You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.

Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.

rmillerscjcom
New Member

The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README

0 Karma

linu1988
Champion

Hello,
Put the scripts in bin/script folder

[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Status.cmd should have:

 @powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1 

Thanks

chimbudp
Contributor

thanks abhi..

0 Karma