Getting Data In

Powershell modular input, Get-Process, some processes do not forward to splunk, possibly large values

cmorrall
Engager

I'm monitoring a number of processes on a dozen or so Windows hosts.

I've not written a script, the input is simply defined something like:

Get-Process | Where-Object {$_.Name -like "vendor*.exe"}

Assume the vendor executables all start with Vendor. This worked fine initially, I picked up 4 or 5 processes and got all the details for each process. This is admittedly a lot of information but I figured I'd rather gather too much at this time.

As we started to use the application, some values like VirtualMemorySize started going up.

Now, one of the processes with a large (almost 2 GB) value for VirtualMemorySize simply stopped appearing in Splunk. Others still work fine.

When trying the exact same Get-Process | Where-Object {$_.Name -like "vendor*.exe"} on the Windows host in a Powershell command window, I get results for all the processes, including the one I'm missing in Splunk, I notice on the table view, some values are a bit mangled, presumeably because the values are large.

I suspect somehow output where some values are large, they get dropped or are in some other way lost. I've not been able to pinpoint exactly what, but for example this Powershell Input works and picks up all processes:

Get-Process | Where-Object {$_.Name -like "vendor*.exe"} | Select-Object Name,CPU

But this does not
Get-Process | Where-Object {$_.Name -like "vendor*.exe"} | Select-Object Name,CPU,VirtualMemorySize

Anyone got any insight into this?

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...