Pushing Powershell Scripts out via Universal Forwa...

kjehth93 · ‎02-27-2025

I would like to run powershell scripts and commands out to my endpoints via the Universal Forwarder, but based on the script or command i would like to specifiy which endpoint it goes to/which it collects an output from. I have attempted this with the following entry in the local inputs.conf, but it still ran on all the endpoints.

[powershell://find_version]

script = [powershell command here]

host = [XXX]

index = [index here]

schedule = [cron here]

disabled = 0

livehybrid · ‎02-27-2025

Hi @kjehth93

In order to specify which hosts this goes to, you probably need to look at your Deployment Server configuration - are you already using this to deploy an app with the inputs.conf in?

Place the app in /opt/splunk/etc/deployment-apps/<yourAppName>

Go to https://yourSplunkInstance/en-US/manager/system/deploymentserver

On the "Server Class" tab select "New Server Class", and give it a name. Then proceed to add your App, and then head to add Clients.

When adding clients you can use wildcards alongwith IPs and/or hostnames in an allow/deny approach to target the hosts you'd like to deploy this inputs.conf to.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Pushing Powershell Scripts out via Universal Forwarder - Specifying specific hosts

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation