Powershell input for Splunk universal forwarder - ...

chimbudp · ‎02-25-2014

I am just trying to create a dashboard which shows Windows System information (like Task Manager)

Powershell script:

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
    $Owner = Get-WmiObject -Class Win32_Process
} -Process {
    $ID = $_.Id
    New-Object -TypeName 'PSCustomObject' -Property @{
        'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
        'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
        'ProcessName' = $_.ProcessName
        'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
    } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}

Output of the script:

UserName               DomainName           ProcessName       MemoryUsed
---------              ----------           -----------       ----------
NETWORK SERVICE        NYYYY                chrome            6.61 MB
SYSTEM                 NYYYY                Explorer          17.80 MB
User1                  CCTTT                cmd               9.65 MB

The Script runs fine and Exeution-Policy are set to Remote-Signed

I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?

I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory

Inputs.conf

[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main

afamoyib · ‎03-08-2018

For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.

step 1 create a script and store it in a directory. For this example i will use C:\temp\bin\test.ps1
Step 2 create a path file(file.path). C:\temp\bin\testpath.path
Step 3 Store this in your path file . Store this in the path $SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " C:\temp\bin\test.ps1'"
Step 4 Create the inputs.conf file

halr9000 · ‎02-25-2014

You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.

Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.

rmillerscjcom · ‎01-13-2017

The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README

linu1988 · ‎02-25-2014

Hello,
Put the scripts in bin/script folder

[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Status.cmd should have:

 @powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1

Thanks

chimbudp · ‎02-25-2014

thanks abhi..

Powershell input for Splunk universal forwarder - Windows Server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation