Getting Data In

When executing two different PowerShell scripts in inputs.conf, why does only one script work?

Danii
New Member

Hi
I'm trying to execute 2 different powershell scripts with different sourcetypes but on the same index. one of them is running but the second does not.

moreover, when i put one of the scripts in disabled=false and the other as true, it runs ok.

did it happen to someone?

0 Karma

adayton20
Contributor

A few things:

If it still isn't working after that:

  • Have you checked splunkd.log for that stanza/script for any errors? If no, try that. You can do this via the search head by looking in index=_internal sourcetype=splunkd

  • Do these two different scripts provide two unique outputs? Ie, do not have the same hash value?

0 Karma

Danii
New Member

thanks for the answer,
for the 3 first points it's OK it is like this, i was wrong while copying it.

Now the problem is that it takes both of them with bat files but it take each row as a single event.
did it happen to you somehow?

0 Karma

Danii
New Member

it brings me to splunk the bat text 😞

can you put you example please?

0 Karma

adayton20
Contributor

Sure, try something like this:

@echo off powershell.exe -ExecutionPolicy bypass -file "X:\Path\to\your\script.ps1"
0 Karma

Danii
New Member

it parse each row as single event.
do you know what can I do about it?

0 Karma

Danii
New Member

sorry for the delay,
I've just tried it but and it does the job this time but again only for one of the scripts

0 Karma

Danii
New Member

but then can i make it with two different sourcetypes?

0 Karma

adayton20
Contributor

Yeah, using the same method you have above. Just replace the .ps1 with the .bat which calls the .ps1. You can keep the same sourcetypes or change them at your leisure.

0 Karma

Danii
New Member

yeah sure, that's my input.conf:

First Script

[powershell://first_script]
script= . "$SplunkHome/etc/.... firstScript.ps1"
index= first_script

schedule = 00 4 * * *

sourcetype= first_script
disabled = false

Second Script

[powershell://second_script]
script= . "$SplunkHome/etc/.... secondScript.ps1"
index= second_script

schedule = 00 5 * * *

sourcetype= second_script
disabled = false

0 Karma

adayton20
Contributor

This happened to me a few months ago. I fixed it by creating a batch script to call the powershell script.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you share your input.conf configuration (for these two scripted input)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...