Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When executing two different PowerShell scripts in inputs.conf, why does only one script work?

Danii
New Member
‎12-12-2016 06:39 AM

Hi
I'm trying to execute 2 different powershell scripts with different sourcetypes but on the same index. one of them is running but the second does not.

moreover, when i put one of the scripts in disabled=false and the other as true, it runs ok.

did it happen to someone?

0 Karma
Reply

adayton20
Contributor
‎12-21-2016 07:32 AM

A few things:

If it still isn't working after that:

  • Have you checked splunkd.log for that stanza/script for any errors? If no, try that. You can do this via the search head by looking in index=_internal sourcetype=splunkd

  • Do these two different scripts provide two unique outputs? Ie, do not have the same hash value?

0 Karma
Reply

Danii
New Member
‎12-25-2016 11:06 PM

thanks for the answer,
for the 3 first points it's OK it is like this, i was wrong while copying it.

Now the problem is that it takes both of them with bat files but it take each row as a single event.
did it happen to you somehow?

0 Karma
Reply

Danii
New Member
‎12-14-2016 06:36 AM

it brings me to splunk the bat text 😞

can you put you example please?

0 Karma
Reply

adayton20
Contributor
‎12-14-2016 06:52 AM

Sure, try something like this:

@echo off powershell.exe -ExecutionPolicy bypass -file "X:\Path\to\your\script.ps1"
0 Karma
Reply

Danii
New Member
‎12-26-2016 01:26 AM

it parse each row as single event.
do you know what can I do about it?

0 Karma
Reply

Danii
New Member
‎12-21-2016 05:40 AM

sorry for the delay,
I've just tried it but and it does the job this time but again only for one of the scripts

0 Karma
Reply

Danii
New Member
‎12-14-2016 05:32 AM

but then can i make it with two different sourcetypes?

0 Karma
Reply

adayton20
Contributor
‎12-14-2016 05:40 AM

Yeah, using the same method you have above. Just replace the .ps1 with the .bat which calls the .ps1. You can keep the same sourcetypes or change them at your leisure.

0 Karma
Reply

Danii
New Member
‎12-13-2016 11:01 PM

yeah sure, that's my input.conf:

First Script

[powershell://first_script]
script= . "$SplunkHome/etc/.... firstScript.ps1"
index= first_script

schedule = 00 4 * * *

sourcetype= first_script
disabled = false

Second Script

[powershell://second_script]
script= . "$SplunkHome/etc/.... secondScript.ps1"
index= second_script

schedule = 00 5 * * *

sourcetype= second_script
disabled = false

0 Karma
Reply

adayton20
Contributor
‎12-14-2016 04:22 AM

This happened to me a few months ago. I fixed it by creating a batch script to call the powershell script.

0 Karma
Reply

somesoni2
Revered Legend
‎12-12-2016 09:03 AM

Can you share your input.conf configuration (for these two scripted input)?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...