Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is my powershell script for input-stanza not working?

morethanyell
Builder
‎10-16-2023 02:09 PM

Hi community! I've tried and exhausted all my brain cells but I still couldn't make this work. Any ideas?

Below is deployed into a Windows 11 machine, running UF 9.1.1

splunk-playground/TA-powershell_scripting/local/inputs.conf at main · morethanyell/splunk-playground...

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

morethanyell
Builder
‎10-17-2023 04:45 AM

Thanks to reddit user u/chadbaldwin who pointed out that the fault was in using `Write-Host` rather than `Write-Output`; whereas `Write-Host` isn't something Splunk is able to capture.

Replaced the script to use `Write-Output` and it's now working.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

morethanyell
Builder
‎10-17-2023 04:45 AM

Thanks to reddit user u/chadbaldwin who pointed out that the fault was in using `Write-Host` rather than `Write-Output`; whereas `Write-Host` isn't something Splunk is able to capture.

Replaced the script to use `Write-Output` and it's now working.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-17-2023 04:49 AM

You've never scripted on unices, have you? 😉

But seriously - that's kinda obvious. I'd say Write-Output is like writing to stdout whereas Write-Host is more like writing to stderr (yes, I know that this analogy is not 100% correct).

0 Karma
Reply
Solved! Jump to solution

morethanyell
Builder
‎10-17-2023 01:14 PM

I have very little experience with scripting.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2023 02:31 PM

You specified "schedule" setting instead of "interval".

0 Karma
Reply
Solved! Jump to solution

morethanyell
Builder
‎10-16-2023 02:33 PM

In inputs.conf - Splunk Documentation, it says

 

[powershell://<name>]
schedule = [<positive integer>|<cron schedule>]
* How often to run the specified PowerShell command or script.
* You can specify a number in seconds, or provide a valid cron
  schedule.
* Default: Runs the command or script once, at startup.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-17-2023 12:26 AM

Sorry, you're right. I was checking the "script" input and it has the "interval" parameter whereas powershell indeed has "schedule".

How do you know it's not running (and not just running and producing any results for example)?

What does splunk list inputstatus say?

My definition looks almost identical and works. From what I see you avoided the common pitfall of $SplunkHome so the path is good.

[powershell://script-checker]
script= . "$SplunkHome\etc\apps\cert_checker\bin\scripts\Splunk-cert-checker.ps1"
schedule = 86400
index=internal_auxiliary
sourcetype=kv:cert-checker
event_serialization_format=kv
disabled=0

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...