Took a while to figure out how to restart the UF from a scripted input. I tried many options, in most cases the forwarder stopped but never started again. Not an option. The root cause is that a stop of splunkd on Windows forces the parent process of the powershell script itself to stop executing. This solution works (tested with UF version 6.3.3 an 6.4):
I used a .path file, a powershell script (.ps1) and a command file (.cmd). Put all three scripts in the same app/bin folder.
The path file enables bypassing the default security Powershell security policy, this (normally) prevents the .ps1 from executing when called directly from inputs.conf. The .ps1 is the do something app, the cmd file is necessary to spawn a separate process (not a child of splunkd) that will restart the forwarder.
in YOUR_APP\default\inputs.conf on the forwarder:
[script://.\bin\<myscript.path>]
interval = -1
disabled = 0
myscript.path:
$SystsemRoot\System32\WindowsPowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -command " &'$SPLUNK_HOME\etc\apps\YOUR_APP\bin\<myscript.ps1>' "
The file myscript.ps1 code to disable script input in inputs.conf
You really need this code to prevent boot loops. Do not put other stuff in this inputs.conf, without modifing this code. It will replace every = 0 to = 1 present in the inputs.conf. You might place other inputs.conf stanza's in a different inputs.conf.
$scriptdir = Split_path $script:MyInvocation.MyCommand.Path
$inputsconf_file = resolve-path ($script_dir, "..", "default", -join "\")
$inputsconf_file = $inputsconf_file, "inputs.conf" -join "\"
(Get-Content $inputsconf_file) |
Foreach-Object {$_ -replace " 0", " 1"} |
Foreach-Object {$_ -replace "=0 ", "=1"} |
Foreach-Object {$_ -replace "false ", "true"} |
Out-File $inputsconf_file
The file myscript.ps1 code to initiate a restart:
$reset_script = $script_dir, "ufrestart.cmd" -join "\"
$args = "SplunkForwarder"
start-process -FilePath $reset_script -Arguments $args
the ufrestart.cmd:
@echo off
sleep 5
net stop %1
net start %1
exit
Have fun!
... View more