Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Stephan_BP
Stephan_BP
Loves-to-Learn Lots
Member since:
03-18-2022
09-22-2022
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-18-2022 |
Activity Feed
- Posted Re: Powershell Script Input via JSON not parsing correctly? on Getting Data In. 09-21-2022 12:29 AM
- Posted Re: Powershell Script Input via JSON not parsing correctly? on Getting Data In. 09-20-2022 01:34 AM
- Posted Re: Powershell Script Input via JSON not parsing correctly? on Getting Data In. 09-12-2022 06:15 AM
- Posted Powershell Script Input via JSON not parsing correctly? on Getting Data In. 07-26-2022 04:37 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
09-21-2022
12:29 AM
Hi scelikok, not sure i get what u mean 🙂 Yes my Output of the Powershellscript is in the Format of: [ { User1values}, {User2values}, ... {UserXvalues} ] and this might be a problem? Splunk correctly creates the events like i want it to For Each User 1 Event. From this point of view i feel its working fine... I simply dont get why the values are wrong... and not only wrong... simply the same for each User except for a few fields... and right after a Universalforwarderservice restart it seems to work now but only there... (except i have double extractions now and have to fix this now aswell) ... each scheduled start of the script it again gives me wrong values...
... View more
09-20-2022
01:34 AM
Ok, i gotten a bit further now... it seems to work properly "ONCE" after i restart the SplunkForwarderService, but the next scheduled time it executes it goes back to leave data out of the events... cant see errors anymore either... I am really confused by now 🙂 maybe someone seeing this behavior? Props.conf on Universalforwarder thats working "ONCE" after Restart: [_json2] pulldown_type = true INDEXED_EXTRACTIONS = json AUTO_KV_JSON = false TRUNCATE = 100000 CHARSET = utf-8 KV_MODE = none category = Structured
... View more
09-12-2022
06:15 AM
No One? 🙂 at least a discussion would be nice... i can also see errors in the internal log... some parsing / linebreaker errors... but i cant find those on the file if i output vie | out-file <filename> from powershell... the resulting .json is ok according to testtools and i cant find any problems... i am at a loss... Errors: had parsing error:Unexpected character while looking for value: ',' - data_source="powershell://Get_AD_Report", data_host="nope", data_sourcetype="_json" JSON StreamId:2583583993661161172 had parsing error:Unexpected character while looking for value: '}' - data_source="powershell://Get_AD_Report", data_host=" nope ", data_sourcetype="_json" JSON StreamId:2583583993661161172 had parsing error:Unexpected character while parsing backslash escape: 'x' - data_source="powershell://Get_AD_Report", data_host=" nope ", data_sourcetype="_json" JSON StreamId:2583583993661161172 had parsing error:Unexpected character while looking for value: ']' - data_source="powershell://Get_AD_Report", data_host=" nope ", data_sourcetype="_json" So yes i would also say there should be a /x somewhere in the data... cant find it after i output it... i "think" its a encoding/decoding problem of some kind... i assume powershell direkt output is some Charset and maybe i just have to find the right Charset in Splunk... but somehow i simply dont get my actual problem 🙂
... View more
07-26-2022
04:37 AM
Hi 🙂
i have a curious problem. (btw. not my first Powershell input 🙂 )
I am trying to Input some Active Directory Data into Splunk right now. Below a bit changed output of my Script:
[
{
"SpecialUsers_S": false,
"SpecialUsers_X": false,
"SpecialUsers_U": false,
"SpecialUsers_A": false,
"SpecialUsers_TBM": false,
"SpecialUsers_T": false,
"HR_Canceled_Users": false,
"HR_Inactive_Users": false,
"HR_Temporary-Inactive_Users": false,
"FehlerStatus": "0",
"PasswordNeverExpires_State": "null",
"OU_State": "null",
"Account_State": "null",
"Manager_State": "null",
"Account_Expiration_Date": "null",
"EmployeeNumberError": "null",
"DescriptionError": "null",
"ManagersViaGroup": "null",
"Wrong_Name": "null",
"Wrong_EMail": "null",
"Manager_Description": "null",
"Multiple_SpecialGroups": "null",
"Multiple_HR_Groups": "null",
"SamAccountName": "SamAccount01",
"Enabled": true,
"EmployeeNumber": "11112",
"SN": "Surname01",
"Description": "0200000000",
"Department": "Department01",
"Company": "The Firm",
"emailaddress": "Email01@domain.com",
"DistinguishedName": "The Distinguished Name 01",
"hkDS-EntryDate": "09.09.1991 02:00:00",
"LastLogonDate": "18.07.2022 07:22:38",
"PasswordLastSet": "02.06.2022 09:22:36"
},
{
"SpecialUsers_S": false,
"SpecialUsers_X": false,
"SpecialUsers_U": false,
"SpecialUsers_A": false,
"SpecialUsers_TBM": false,
"SpecialUsers_T": false,
"HR_Canceled_Users": false,
"HR_Inactive_Users": false,
"HR_Temporary-Inactive_Users": false,
"FehlerStatus": "0",
"PasswordNeverExpires_State": "null",
"OU_State": "null",
"Account_State": "null",
"Manager_State": "null",
"Account_Expiration_Date": "null",
"EmployeeNumberError": "null",
"DescriptionError": "null",
"ManagersViaGroup": "null",
"Wrong_Name": "null",
"Wrong_EMail": "null",
"Manager_Description": "null",
"Multiple_SpecialGroups": "null",
"Multiple_HR_Groups": "null",
"SamAccountName": "SamAccount02",
"Enabled": true,
"EmployeeNumber": "11113",
"SN": "Surname02",
"Description": "000000000",
"Department": "Department02",
"Company": "The Firm",
"emailaddress": "email02@Domain.com",
"DistinguishedName": "The Distinguished Name 01",
"hkDS-EntryDate": "10.10.2002 02:00:00",
"LastLogonDate": "18.07.2022 08:07:31",
"PasswordLastSet": "26.05.2022 17:27:42"
}
]
Exported into File and testet with Validators all is fine.
But what i see in Splunk is:
"SpecialUsers_S": false,
"SpecialUsers_X": false,
"SpecialUsers_U": false,
"SpecialUsers_A": false,
"SpecialUsers_TBM": false,
"SpecialUsers_T": false,
"HR_Canceled_Users": false,
"HR_Inactive_Users": false,
"HR_Temporary-Inactive_Users": false,
"FehlerStatus": "0",
"PasswordNeverExpires_State": "null",
"OU_State": "null",
"Account_State": "null",
"Manager_State": "null",
"Account_Expiration_Date": "null",
"EmployeeNumberError": "null",
"DescriptionError": "null",
"ManagersViaGroup": "null",
"Wrong_Name": "null",
"Wrong_EMail": "null",
"Manager_Description": "null",
"Multiple_SpecialGroups": "null",
"Multiple_HR_Groups": "null",
"SamAccountName": "SamAccount01",
"Enabled": true,
"EmployeeNumber": "null",
"SN": "",
"Description": "null",
"Department": "null",
"Company": "",
"emailaddress": null,
"DistinguishedName": "The Distinguished Name",
"hkDS-EntryDate": "null",
"LastLogonDate": "null",
"PasswordLastSet": "null"
}
As u can see i am missing a lot of information, and i cant figure out why... Some like SamAccountName and DistinguishedName is working but other variables like Company, Department or Description are missing...
Skript is rather long but if needed i can post Parts of it how i do stuff 🙂
the inputs.conf for this is:
[powershell://Get_AD_Report]
script = . "$SplunkHome\etc\system\bin\Powershell\GetADReport.ps1"
schedule=15 * * * *
sourcetype=_json
index=hk_office365
Maybe someone as some kind of clue whats happening there for me?
Would really help 🙂 am on this for much to long already 😉 and tried so many different ways now...
... View more
Labels
- Labels:
-
JSON
-
scripted input
-
universal forwarder
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-22-2022
03:43 AM
|
