Hi Splunkerds, I have struggled with powershell for a while and thought that after all the great tips I got from you, I'd repay you by posting a solution. The problem is, that the documentation for the inputs.conf section on powershell offers little to none help to actually get things right. Some things to note that the documentation seems to miss are: - If your script returns strings, then every line of output will be a single event and it will bypass anything that you do in order to reassemble the events. Forget SHOULD_LINEMERGE and LINE_BREAKER. They are simply ignored as if the UF using the powershell input actually passes cooked events to splunk. - Consequently, as a result of the above: If you want to pass anything more complex than a single line, you have to pass the events as powershell objects Now for a practical and working example, let's pull the output of the certutil.exe into splunk using powershell: First, test the command in powershell to see the raw data:      # certutil -view -out 'NotBefore,NotAfter,SerialNumber,RequestID,CertificateTemplate,DistinguishedName'     Now, for the solution, let's take a look at inputs.conf:     [powershell://CertStore-LocalUser] disabled = 0 script = . "$SplunkHome\etc\apps\<yourappname>\bin\Get-LocalUserCertificates.ps1" schedule = */30 * * * * sourcetype = windows:certs     Note the script line: It's taken me some time to get the invocation right. The docs could be clearer. Here is the content of the Get-LocalUserCertificates.ps1 script located in the <yourappname>/bin directory as an example/template of how to take a linear (string) based input, iterate over the lines, cut them with regexes and create new objects for every Row or Entry section, assign the keys and pass them to splunk:     $certutil = "$($env:SystemRoot)\system32\certutil.exe" $certutilOutput = Invoke-Expression "$certutil -view -out 'NotBefore,NotAfter,SerialNumber,RequestID,CertificateTemplate,DistinguishedName'" $currentKey = $null $currentValue = $null $certutilOutput -split [environment]::NewLine | foreach { switch -regex ($_){ '[Entry|Row] \d+:(.*)' { # New Object found $currentObject = New-Object psobject $currentValue = $null continue } '(\s{2})(?<key>[\w\s]+):\s*(?<value>.*)' { # Add key / value pair to Object if($currentObject){ if( -not $matches.value){ $currentKey = $matches.key.Trim() $currentValue = $null } else { $currentObject | Add-Member -MemberType NoteProperty -Name $($matches.key.Trim()) -Value $($matches.value.trim(@("'",'"','`'))) -Force } } } '^$' { # if it exists, pass the object to splunk if($currentObject){ if($currentKey -and $currentValue){ $currentObject | Add-Member -MemberType NoteProperty -Name $($currentKey) -Value $($currentValue) -Force } # pass the object to splunk $currentObject # reset the object after it has been passed $currentObject = $null $currentKey = $null $currentValue = $null } } default { # Save Values of Multiline Parameters if a current Key exists if($currentObject -and $currentKey){ $currentValue += $_+"`n" } } } } # return the last row object if($currentKey -and $currentValue){ $currentObject | Add-Member -MemberType NoteProperty -Name $($currentKey) -Value $($currentValue) -Force } $currentObject      Note: If your command delivers a list of PS Objects, you just iterate over that list with .Next, passing ever object that your list holds.  Hope it helps somebody! Happy splunkin' Oliver ... View more

Hi fellow Splunkers, I've stumbled upon a cool piece of code, namely the ASX app that allows you to load configurations from Splunk's security content API and run/schedule analytic stories in the context of ES. Question: It's probably just me, but is there an easy way to configure HTTP proxy for the app, other than tweaking the code? I'm somewhat reluctant to touch the .py libs since I assume I have just overlooked the documentation that says: " asx.conf: proxy=http://<user>:<passwd>@<proxy>:<port>" Has anybody hit the same snag and can help with a little code? Cheers Oliver ... View more