- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to ingest PowerShell script that outputs json?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a PowerShell script that parses emails and pulls out specific header data that I want in Splunk. While writing the script I decided to have it output json as I thought that would be a good option to feed to splunk. I produced a sample json log file (one line json per message I want parsed) and setup a sourcetype via the interactive add data wizard. I then added that sourcetype to my app's props.conf.
My issue is I cannot seem to find the right way to get splunk to execute the powershell script. I've tried script:// with the ps1, with a .path file, and recently tried powershell:// with a script parameter. Nothing seems to be working.
Any guidance on how to make this would be great. I don't want to have to resort to a scheduled task running the script which outputs to a log file that splunk monitors, but I can do that if I need to.
Here is my inputs.conf that I tried:
[script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.ps1]
disabled = 1
interval = 300
index = email
source = phishalert
sourcetype = phishalert
[script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.path]
disabled = 1
interval = 300
index = email
source = phishalert
sourcetype = phishalert
[powershell://PhishAlertOutput]
disabled = 1
script = . "$SPLUNKHOME/etc/apps/phishalert/bin/phishalert_output.ps1"
schedule = */5 * * * *
sourcetype = phishalert
Here is the props.conf:
[phishalert]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
TIMESTAMP_FIELDS = timestamp
category = Structured
description = Phish alert json data.
disabled = false
pulldown_type = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use slashes as path separators, not backslashes. In my experience something like this worked:
[powershell://your-stanza-name]
script= . "$SplunkHome\etc\apps\your_app\bin\scripts\your_script.ps1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk is being asked to run a PowerShell script on what looks like a *nix system. Is there a PowerShell interpreter installed on this Splunk host?
If so, you may need to do something like:
[script://path/to/pwsh $SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.ps1]
There are a few other options in the [script] section of inputs.conf.spec that you might want to explore, including "start_by_shell".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is all Windows, what makes you think it's linux? Did I misconfigure something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use slashes as path separators, not backslashes. In my experience something like this worked:
[powershell://your-stanza-name]
script= . "$SplunkHome\etc\apps\your_app\bin\scripts\your_script.ps1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hah, that shouldn't matter because PowerShell can interpret both methods, but sure enough that got it working. Thanks!
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
