Getting Data In

need help with splunk btool in powershell

satyaallaparthi
Communicator

Hello,

How can I write power shell script for running btool command ?

where ever I am directly doing in powershell. That is working fine. But, when I store "C:\Program Files\Splunk\bin\splunk" cmd btool props list --debug in test.ps1 and running the script from powersell then, I am getting the error.

Unfortunately, Splunk team does not always have access to the server, so we have to either gain access (takes time and approvals) or involve the server owner to run some Splunk commands.

Rather than walk the server owner through a bunch of long command strings, we should use a script.

Write a powershell script that will:

Start in a UniversalForwarder directory..

Run btool for inputs, outputs, props, and transforms and send the output to .txt files.

Then zip up those 4 files along with the contents of /etc/apps/* and /etc/system/local/* into a single zip file as an output.

The server owner can then mail that .zip file to us and we can diagnose the UF.

Thanks,
Satya Allaparthi

0 Karma
1 Solution

rmmiller
Contributor

I suspect you are probably running into an error because you don't have an ampersand in front of your splunk.exe command. PowerShell gets really confused if you try to do that with something that isn't a PowerShell cmdlet or alias. Adding a "&" in front of it solves that problem.

I assumed you might not be running the latest PowerShell, but if you are, the zipping part could be simplified using PowerShell 5 native Compress-Archive cmdlet.

To use this, run the script and you should have a zip created in $env:TEMP named SplunkTroubleshootingArchive_timestampformat.zip. For example: SplunkTroubleshootingArchive_05122019113952.zip

The script will tell you where the zip file is for easy copy/pasting. No Splunk knowledge necessary.

I didn't include a lot of error handling in here. I'm relying on BYOEH (Bring Your Own Error Handling). I also wouldn't call this pretty, but this works for the tests I ran and should get you in the right direction.

# Roll own function to create zip files since PowerShell version is unknown
# Copied from https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
function ZipFiles($zipfilename,$sourcedir,$inclRoot)
{
   Add-Type -Assembly System.IO.Compression.FileSystem
   $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
   [System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir,$zipfilename,$compressionLevel,$inclRoot)
}

#####################################################################
# Parameters you should customize for your environment/use case
#####################################################################
# If splunkd is running, programmatically get SplunkUF directory
$splunkUFDir = (Get-Process "splunkd").Path -replace '\\bin\\splunkd\.exe',''
# SplunkUF directory - hard-coded for your environment
#$splunkUFDir = "C:\Program Files\Splunk"

# Array of conf files for btool to parse
$confFiles = @("props","inputs","outputs","transforms")

# Array of Splunk directories to include in zip
$splunkDirsToZip = @("\etc\apps","\etc\system\local")

# Format for timestamp that can be used in file paths
$dateTime = Get-Date -Format "ddMMyyyyHHmmss"
#####################################################################



# Make a directory in $env:TEMP for constructing zip file
$logFolder = New-Item -Path $env:TEMP -Name $($dateTime+"_Splunklogs") -ItemType "directory"

# Loop over the conf files to create output files
# Output is written to temporary directory based on timestamp
foreach ($conf in $confFiles)
{
    & "$splunkUFDir\bin\splunk.exe" cmd btool $conf list --debug | Out-File -FilePath $($logFolder.FullName+"\"+$dateTime+"_"+$conf+".txt") -Force
}

# Loop over the directories to create zip files written to temporary directory based on timestamp
foreach ($d in $splunkDirsToZip)
{
    # Replace the slashes and backslashes with underscores for zip file name, but convert all to backslashes for compression call
    $dirZipFile = $($logFolder.FullName+"\"+$dateTime+"_"+($d -replace '/|\\','_')+".zip") -replace '/','\'
    $srcDir = ($splunkUFDir+$d) -replace '/','\'
    ZipFiles $dirZipFile $srcDir $false
}

# Now zip up the temporary directory into a single zip
$splunkTroubleshootingArchive = (($logFolder.Parent.FullName)+"\SplunkTroubleshootingArchive_"+$dateTime+".zip") -replace '/','\'
ZipFiles $splunkTroubleshootingArchive $logFolder $false

# Clean up temporary log directory if the archive exists
if ($splunkTroubleshootingArchive)
{
    Remove-Item $logFolder -Recurse -Force -ErrorAction SilentlyContinue
    Write-Output "Zip archive is at:`n`t`t$splunkTroubleshootingArchive"
} else {
    Write-Warning "Script failure.  No zip archive created."
}

Some useful references for you:
https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell
https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/?view=powershell-5.1

Hope that helps!
rmmiller

View solution in original post

0 Karma

rmmiller
Contributor

I suspect you are probably running into an error because you don't have an ampersand in front of your splunk.exe command. PowerShell gets really confused if you try to do that with something that isn't a PowerShell cmdlet or alias. Adding a "&" in front of it solves that problem.

I assumed you might not be running the latest PowerShell, but if you are, the zipping part could be simplified using PowerShell 5 native Compress-Archive cmdlet.

To use this, run the script and you should have a zip created in $env:TEMP named SplunkTroubleshootingArchive_timestampformat.zip. For example: SplunkTroubleshootingArchive_05122019113952.zip

The script will tell you where the zip file is for easy copy/pasting. No Splunk knowledge necessary.

I didn't include a lot of error handling in here. I'm relying on BYOEH (Bring Your Own Error Handling). I also wouldn't call this pretty, but this works for the tests I ran and should get you in the right direction.

# Roll own function to create zip files since PowerShell version is unknown
# Copied from https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
function ZipFiles($zipfilename,$sourcedir,$inclRoot)
{
   Add-Type -Assembly System.IO.Compression.FileSystem
   $compressionLevel = [System.IO.Compression.CompressionLevel]::Optimal
   [System.IO.Compression.ZipFile]::CreateFromDirectory($sourcedir,$zipfilename,$compressionLevel,$inclRoot)
}

#####################################################################
# Parameters you should customize for your environment/use case
#####################################################################
# If splunkd is running, programmatically get SplunkUF directory
$splunkUFDir = (Get-Process "splunkd").Path -replace '\\bin\\splunkd\.exe',''
# SplunkUF directory - hard-coded for your environment
#$splunkUFDir = "C:\Program Files\Splunk"

# Array of conf files for btool to parse
$confFiles = @("props","inputs","outputs","transforms")

# Array of Splunk directories to include in zip
$splunkDirsToZip = @("\etc\apps","\etc\system\local")

# Format for timestamp that can be used in file paths
$dateTime = Get-Date -Format "ddMMyyyyHHmmss"
#####################################################################



# Make a directory in $env:TEMP for constructing zip file
$logFolder = New-Item -Path $env:TEMP -Name $($dateTime+"_Splunklogs") -ItemType "directory"

# Loop over the conf files to create output files
# Output is written to temporary directory based on timestamp
foreach ($conf in $confFiles)
{
    & "$splunkUFDir\bin\splunk.exe" cmd btool $conf list --debug | Out-File -FilePath $($logFolder.FullName+"\"+$dateTime+"_"+$conf+".txt") -Force
}

# Loop over the directories to create zip files written to temporary directory based on timestamp
foreach ($d in $splunkDirsToZip)
{
    # Replace the slashes and backslashes with underscores for zip file name, but convert all to backslashes for compression call
    $dirZipFile = $($logFolder.FullName+"\"+$dateTime+"_"+($d -replace '/|\\','_')+".zip") -replace '/','\'
    $srcDir = ($splunkUFDir+$d) -replace '/','\'
    ZipFiles $dirZipFile $srcDir $false
}

# Now zip up the temporary directory into a single zip
$splunkTroubleshootingArchive = (($logFolder.Parent.FullName)+"\SplunkTroubleshootingArchive_"+$dateTime+".zip") -replace '/','\'
ZipFiles $splunkTroubleshootingArchive $logFolder $false

# Clean up temporary log directory if the archive exists
if ($splunkTroubleshootingArchive)
{
    Remove-Item $logFolder -Recurse -Force -ErrorAction SilentlyContinue
    Write-Output "Zip archive is at:`n`t`t$splunkTroubleshootingArchive"
} else {
    Write-Warning "Script failure.  No zip archive created."
}

Some useful references for you:
https://stackoverflow.com/questions/24940243/running-cmd-command-in-powershell
https://stackoverflow.com/questions/1153126/how-to-create-a-zip-archive-with-powershell
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/?view=powershell-5.1

Hope that helps!
rmmiller

0 Karma

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @satyaallaparthi ,

What is the error that you are getting? Can you provide the exact PowerShell that you are using to invoke btool?

Cheers,

- Jo.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...