Hello all,
I can't seem to get Powershell or batch script to "successfully" execute.
When I attempt to run a batch, I receive the following error in splunkd.log:
Error while executing script [Error 193] %1 is not a valid Win32 application
In regards to a powershell script:
If I attempt to run a ps1, even with #!c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe as the first line, the exit code is seemed to be not 0 .
Having changed/added the following to runshellscript.py:
Line 223: beneath the subprocess.popen call under if mswindows: add: output = p.stdout.read()
Line 231: then under if code!=0: modify results = splunk.Intersplunk.generateErrorResults("Script: " + str(output))
I saw an error with runshellscript,py improperly escaping the arguments. Having had a | in my splunk query, runshellscript.py allowed the | to be treated as a command line pipe, not as part of the query.
After removing the pipe from the splunk query (and restoring runshellscript.py to it's original form), powershell seems to exit with code 0 , but my script does not successfully execute/do anything observable.
The scripts are as follows:
tester.bat:
@echo off
echo %SPLUNK_ARG_0% > "C:\program files\splunk\bin\scripts\testbat.out"
echo "bat started" >> "C:\Program Files\Splunk\bin\scripts\testbat.out"
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files\Splunk\bin\scripts\tester.ps1" %*
echo "bat finishing" >> "C:\Program Files\Splunk\bin\scripts\testbat.out"
tester.ps1
#!c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
#docs.splunk.com/Documentation/Splunk/6.5.0/Alert/Configuringscriptedalerts
$scriptname = $Args[0]
$numberofeventsreturned = $Args[1]
$searchterms = $Args[2]
$fqquerystring = $Args[3]
$nameofreport = $Args[4]
$alerttriggerreason = $Args[5]
$reportbrowserurl = $Args[6]
$gzippedresultsfile = $Args[8]
write-output "start" >> "C:\Program Files\Splunk\bin\scripts\test.csv"
write-output $($args -join ";") >> "C:\Program Files\Splunk\bin\scripts\test.csv"
write-output "done" >> "C:\Program Files\Splunk\bin\scripts\test.csv"
I see some older documentation on Windows script execution in the following locations:
http://wiki.splunk.com/Community:TroubleshootingAlertScripts
http://docs.splunk.com/Documentation/Splunk/6.5.1/Alert/Configuringscriptedalerts
https://answers.splunk.com/answers/171871/powershell-script-triggered-from-alert-is-not-exec.html <== wish it was this simple
However, none of the suggestions are of assistance, and it appears to be an issue directly related to how runshellscript,py is written.
Has anyone had any success executing Alert scripts on Windows with Splunk v6.4.4?
Thank you for your time,
Matt
... View more