Getting Data In

Powershell input for Splunk universal forwarder - Windows Server

Contributor

I am just trying to create a dashboard which shows Windows System information (like Task Manager)

Powershell script:

Get-Process  | Where-Object {$_.ws -gt 0MB} | ForEach-Object -Begin {
    $Owner = Get-WmiObject -Class Win32_Process
} -Process {
    $ID = $_.Id
    New-Object -TypeName 'PSCustomObject' -Property @{
        'UserName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().User
        'DomainName' = ($Owner | Where-Object {$_.ProcessID -eq $ID}).GetOwner().Domain
        'ProcessName' = $_.ProcessName
        'MemoryUsed' = "{0:N2} MB" -f ($_.WS / 1MB)
    } | Select-Object -Property UserName,DomainName,ProcessName,MemoryUsed
}

Output of the script:

UserName               DomainName           ProcessName       MemoryUsed
---------              ----------           -----------       ----------
NETWORK SERVICE        NYYYY                chrome            6.61 MB
SYSTEM                 NYYYY                Explorer          17.80 MB
User1                  CCTTT                cmd               9.65 MB

The Script runs fine and Exeution-Policy are set to Remote-Signed

I set the inputs.conf to read the Script at bin directory, but unable to get the output as expected? Does any modifications needed at script ?

I created a .cmd file to open the powershell script and placed both the .ps1 & .cmd at /bin directory

Inputs.conf

[script://E:\APPS\SplunkUniversalForwarder\etc\apps\MSICreated\bin\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Path Finder

For powershell if you want to do it via the input file. You will need a path file, this is the easiest solution.

  • step 1 create a script and store it in a directory. For this example i will use C:\temp\bin\test.ps1
  • Step 2 create a path file(file.path). C:\temp\bin\testpath.path
  • Step 3 Store this in your path file . Store this in the path $SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -command " C:\temp\bin\test.ps1'"
  • Step 4 Create the inputs.conf file
0 Karma

Motivator

You should try the PowerShell Addon, I think you'll have a better experience with it. The addon is a PowerShell host, implemented as a Splunk modular input.

Be sure to read the README, there are some caveats. But it's a cool solution, and the basis for several Splunk Apps like MS Exchange. No more creating a .cmd file to launch powershell.exe. You can even embed bare PowerShell statements in inputs.conf.

New Member

The link readme link in the body of this post is missing the last "E", it should be: https://github.com/splunk/splunk-powershell-modularinput/tree/master/Package/README

0 Karma

Champion

Hello,
Put the scripts in bin/script folder

[script://$SPLUNK_HOME\etc\apps\MSICreated\bin\scripts\Status.cmd]
interval = 0
sourcetype = winperf
index = main

Status.cmd should have:

 @powershell -File E:\Apps\SplunkUniversalForwarder\etc\apps\MSICreated\bin\scripts\Status.ps1 

Thanks

Contributor

thanks abhi..

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!