Getting Data In

Troubleshooting why a powershell script is not running

DamageSplunk
Explorer

I have an app that I'm deploying called fake-app on Windows systems. It's based on getting the share permissions in the Splunk blog a
few weeks ago.

[note: fake app is how I deploy and test new apps before I send them out to all systems]

dir .\fake-app /s /b
\deployment-apps\fake-app\bin\RunWin32_Share.cmd
\deployment-apps\fake-app\bin\Win32_Share.ps1
\deployment-apps\fake-app\local\inputs.conf

The app is distributed to the servers.

inputs.conf

[powershell://RunWin32_Share]
script = .\bin\Win32_Share.ps1
DATETIME_CONFIG = CURRENT
#run it every 5 minutes
schedule = */5 * * * *
index = machine
sourcetype = Win32Share

If you run the script on the machine it works just fine but trying to get it to run under the UniversalForwarder doesn't appear to work.

I don't see where the execution is getting tried and failing in the logs though

Any ideas on why it's failing or how to troubleshoot?

gflynn
Explorer

In inputs.conf, try:

script = $SplunkHome\etc\apps\fake-app\bin\Win32_Share.ps1
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!