I have some powershell scripts scheduled on a windows server and want to track their memory and cpu utilization. And I do have a working solution, but I just wondered what's the best practice here. So I created a WMI input for Win32_process, which has the "CommandLine" for each powershell.exe instance, and that includes the script name. But out of the box, Splunk cuts off that CommandLine field at the first space. I guess my question is, if there are any props.conf options (or in any other configuration) to let it read that full "line" and not stop at the spaces. It seems to be clever enough to read the WMI feed in a way where it puts each field=value into one line in the _raw data. The server in question has a universal forwarder installed. And that has an app with the wmi.conf in it: [WMI:powershell.exe] index = perfmon disabled = 0 interval = 60 wql = SELECT CommandLine, ProcessId, WorkingSetSize, KernelModeTime, UserModeTime from Win32_process WHERE Name = 'powershell.exe' And on the indexer, the sourcetype is configured in the props.conf like this: [WMI:powershell.exe] FIELDALIAS-dest_for_perfmon = host AS dest FIELDALIAS-src_for_perfmon = host AS src LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom disabled = false In the end, my goal is to get that script name, so I just added a field extraction for that EXTRACT-ScriptName = CommandLine=powershell.exe+\s+\-command+\s+"&\s+'*(?P<ScriptName>[^("|')]+) Is that the best way of doing it?
... View more
Hey - I'm taking my first steps on extracting fields with RegEx and can't seem to get this one working .. any help would be appriciated
The events look like this:
12/10/2019 07:40:23 AM
Message=Scheduled task has reported an event.
Task ID: 089546a0-3a4b-4b66-9e4e-43bc9a1f48a6
Object name: Exo-Process-Changes
Start date: 12/10/2019
Start time: 7:40:00 AM
Script module: Exo-Process-Changes
Task execution was completed
And want to get that very last line, and put it in a "task_status" field.
This is my RegEx (well.. one of 20 I tried)
Script module: .*[\n\s\r]*(?<task_status>[^\n\r]*)
So I'm basically looking for that "Script module:" line, and want to take the next line that comes after the line breaks and white spaces.
I used a similar, yet more complex RegEx to extract multiple fields from a different event log, and that worked fine. So I don't get what's wrong with this one.
Just using the field extractor wizard would be great, too, but it seems that my events are longer (line count) than the field extractor can work with.
Thanks in advance
... View more
I'm bad with certificates and using the guides that are out there always made me end up with errors in Firefox and Chrome, possibly because of the way our AD CA is configured.
Anyway, the following process finally worked out great:
We have a standard process to request certs from our AD CA, out of the regular Windows certificate MMC. With that I end up with a CER file I install in Windows.
Then again from the certificate MMC, I export that to a PFX file, check to include the private key, check to include all certs and give it a password.
Then downloading OpenSSL and run the following commands to convert the PFX to a PEM and then export the KEY from the PEM
Openssl pkcs12 -in export.pfx -out cacert.pem
Openssl rsa -in cacert.pem -out servername.key
Put the cacert.pem and servername.key in \Splunk\etc\auth\mycerts
Edit the web.conf under \Splunk\etc\system\local
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = C:\Program Files\Splunk\etc\auth\mycerts\servername.key
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\cacert.pem
... View more