Run a script after Splunk service stops

cboillot · ‎10-15-2021

If I were to have the UF run a PowerShell script, and that script stops the UF, does that also end that PowerShell script session? If so, is there a way to keep it running?

scelikok · ‎10-16-2021

Hi @cboillot,

I think you are trying to run a script to change setting UF and restart. Stopping the UF process will also stop the Powershell script since it is a child.

You can continue your Powershell actions using another Powershell script by starting a second script for stopping or restarting UF. You should start the second one using the "Start-Process" command. This command will create a separate process that will not be the child of UF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

cboillot · ‎10-18-2021

This is what I had thought, but its not working. It gets to the point were it stops Splunk, but then nothing. The file I have in referenced in the inputs is named 'kickoff.ps1'.

start-process powershell.exe "-noexit -noprofile -executionpolicy bypass . C:\SplunkUniversalForwarder\etc\apps\upgradeTest\bin\splunkforwarder-install.ps1"

This is working as it the referenced script stops Splunk. But after that, it just stops. The script itself works as I can run it from the desktop successfully.

gcusello · ‎10-16-2021

Hi @cboillot,

sorry but using Splunk you cannot run actions on Universal Forwarders, you have to find a different way.

As a workaround, you could create an alert on the Splunk server that runs a remote Powershell script, if acceptable for you.

Ciao.

Giuseppe

Run a script after Splunk service stops

scripted input

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?