Hello, I have a PowerShell script that parses emails and pulls out specific header data that I want in Splunk. While writing the script I decided to have it output json as I thought that would be a good option to feed to splunk. I produced a sample json log file (one line json per message I want parsed) and setup a sourcetype via the interactive add data wizard. I then added that sourcetype to my app's props.conf. My issue is I cannot seem to find the right way to get splunk to execute the powershell script. I've tried script:// with the ps1, with a .path file, and recently tried powershell:// with a script parameter. Nothing seems to be working. Any guidance on how to make this would be great. I don't want to have to resort to a scheduled task running the script which outputs to a log file that splunk monitors, but I can do that if I need to. Here is my inputs.conf that I tried: [script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.ps1]
disabled = 1
interval = 300
index = email
source = phishalert
sourcetype = phishalert
[script://$SPLUNK_HOME/etc/apps/phishalert/bin/phishalert_output.path]
disabled = 1
interval = 300
index = email
source = phishalert
sourcetype = phishalert
[powershell://PhishAlertOutput]
disabled = 1
script = . "$SPLUNKHOME/etc/apps/phishalert/bin/phishalert_output.ps1"
schedule = */5 * * * *
sourcetype = phishalert Here is the props.conf: [phishalert]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
TIMESTAMP_FIELDS = timestamp
category = Structured
description = Phish alert json data.
disabled = false
pulldown_type = true
... View more