Troubleshoot the Splunk Add-on for Microsoft SCOM
Event indexing lags with the Splunk Add-on for Microsoft SCOM on Splunk 7.2.x or earlier
Splunk 7.3.x has an improvement in the core PowerShell module. To take advantage of this improvement:
- Disable all data inputs which are currently running.
- Stop Splunk.
- Upgrade to Splunk 7.3 or higher.
- Upgrade the Splunk Add-on for Microsoft SCOM to version 2.3.0
- Start Splunk.
- Enable the configured data inputs.
Custom source types
If you attempt to override the default source types set by this add-on, be aware that some functionality may fail, including CIM mapping, prebuilt panels, checkpoints, and timestamps. For all inputs configured using group metrics, source type overrides are not accepted to preserve this functionality.
If your Splunk platform search results are missing data for certain objects in your SCOM that you expect based on the inputs you enabled, consult with your Microsoft SCOM administrator to ensure that SCOM is configured so that these objects are created. The Splunk Add-on for Microsoft SCOM uses only GET commands to return lists of objects. In some cases, the SCOM admin must create the objects first by using ADD commands manually. For example, if you have configured an input to use the
Get-SCOMNotificationChannel, the input only produces data if a SCOM admin has previously called the command
The Splunk Add-on for Microsoft SCOM has a log located at
For errors regarding invalid commands, params, or other exceptions, search for
For remote management server connection errors, search for
index=_internal source=*ta_scom.log New SCOMManagementGroupConnection Fail
The Splunk Add-on for Microsoft SCOM allows you to configure logging levels in the configuration UI or in
microsoft_scom.conf. Allowed log levels are DEBUG, WARN, and ERROR. The default is WARN. To configure logging using the UI:
- Go to Splunk Web on your data collection node.
- Click Splunk Add-on for Microsoft SCOM on the left side to access the Splunk Add-on for Microsoft SCOM configuration UI.
- Click Configuration, then Logging and select a logging level from the drop-down menu.
A PowerShell log is provided here:
For errors that occur when PowerShell calls the SCOM scripts, search for
Cron expression format
The add-on is configured to expect cron expressions in the Quartz Scheduler format rather than the Unix standard.
See http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html for complete documentation.
The Splunk Add-on for Microsoft SCOM saves checkpoints for some commands to preserve the last indexed date. If you want to index events again, remove all the files in
Configure inputs for the Splunk Add-on for Microsoft SCOM
PowerShell command/timestamp reference
This documentation applies to the following versions of Splunk® Supported Add-ons: released