Getting Data In

Why is Powershell input not receiving data?

mikelanghorst
Motivator

I had a windows admin create a powershell script for me (requires code-signing, plus app whitelisting complexity), and have configured as a Splunk input.  It's working fine from a powershell prompt, and I can see from _internal that Splunk is executing it, but I'm receiving no output.

Script:

 

 

#main
$command =
{
  try
  {
    $Response = Invoke-WebRequest -Uri 'www.google.com'
    $StatusCode = $Response.StatusCode
  }
  catch
  {
    $StatusCode = $_.Exception.Response.StatusCode.value__
    if ($StatusCode -eq $null){
      $StatusCode = '000'
    }
  }
  return $StatusCode
}
$StatusCode = invoke-command  -ScriptBlock $command
Switch ($StatusCode) {
  '000' { write-warning ('Web_Connectivity url=www.google.com status=failure status_code={0}' -f $statuscode) -Verbose }
  default { write-host ('Web_Connectivity url=www.google.com status=success status_code={0}' -f $statuscode) -ForegroundColor Green }
}

 

 

 

With this inputs.conf:

 

 

[powershell://test-internetaccessSplunk]
script = . "$SplunkHome\etc\apps\test_Windows_Scripts\bin\test-internetaccessSplunk.ps1"
schedule = */5 * 9-16 * 1-5
sourcetype = Script:Web_Connectivity
source = Script:Web_Connectivity
index = win_test

 

 

*note:  schedule to be updated to once/day once it works.

_internal log events: 

 

 

05-10-2022 09:45:00.0001576-7 INFO Start executing script=. "$SplunkHome\etc\apps\test_Windows_Scripts\bin\test-internetaccessSplunk.ps1" for stanza=test-internetaccessSplunk
05-10-2022 09:45:00.8595184-7 INFO End of executing script=. "$SplunkHome\etc\apps\test_Windows_Scripts\bin\test-internetaccessSplunk.ps1" for stanza=test-internetaccessSplunk, execution_time=0.8593608 seconds

 

 

 

 

Labels (3)
0 Karma

mikelanghorst
Motivator

No, transcription isn't enabled.    Splunk version is 8.1.6.

0 Karma

jho-splunk
Splunk Employee
Splunk Employee

Hi @mikelanghorst ,

Do you have PowerShell Transcription enabled, perchance?  And also, what is the version of the Splunk that is running the PowerShell modular input?

Cheers,

 

 - Jo.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...