Troubleshoot the Splunk Add-on for Microsoft SCOM
General troubleshooting
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Custom source types
If you attempt to override the default source types set by this add-on, be aware that some functionality may fail, including CIM mapping, prebuilt panels, checkpoints, and timestamps. For all inputs configured using group metrics, source type overrides are not accepted to preserve this functionality.
Missing data
If your Splunk platform search results are missing data for certain objects in your SCOM that you expect based on the inputs you enabled, consult with your Microsoft SCOM administrator to ensure that SCOM is configured so that these objects are created. The Splunk Add-on for Microsoft SCOM uses only GET commands to return lists of objects. In some cases, the SCOM admin must create the objects first by using ADD commands manually. For example, if you have configured an input to use the Get-SCOMNotificationChannel
, the input only produces data if a SCOM admin has previously called the command Add-SCOMNotificationChannel
manually.
Add-on logs
The Splunk Add-on for Microsoft SCOM has a log located at %SPLUNK_HOME%\var\log\splunk\ta_scom.log
.
For errors regarding invalid commands, params, or other exceptions, search for
index=_internal source=*ta_scom.log
For remote management server connection errors, search for
index=_internal source=*ta_scom.log New SCOMManagementGroupConnection Fail
For server validation related errors, search for
index=_internal sourcetype=ms:scom:log:server_validation
For input validation related errors, search for
index=_internal sourcetype=ms:scom:log:input_validation
For performance filter parameter validation related errors, search for
index=_internal sourcetype=ms:scom:log:performance_filter_parameter_validation
Logging Levels
The Splunk Add-on for Microsoft SCOM allows you to configure logging levels in the configuration UI or in microsoft_scom.conf
. Allowed log levels are DEBUG, WARN, and ERROR. The default is WARN. To configure logging using the UI:
- Go to Splunk Web on your data collection node.
- Click Splunk Add-on for Microsoft SCOM on the left side to access the Splunk Add-on for Microsoft SCOM configuration UI.
- Click Configuration, then Logging and select a logging level from the drop-down menu.
PowerShell logs
A PowerShell log is provided here: %SPLUNK_HOME%\var\log\splunk\splunk-powershell.ps1.log
.
For errors that occur when PowerShell calls the SCOM scripts, search for
index=_internal source=*powershell*.log
Cron expression format
The add-on is configured to expect cron expressions in the Quartz Scheduler format rather than the Unix standard.
See the Quartz documentation for complete documentation.
Re-indexing events
The Splunk Add-on for Microsoft SCOM saves checkpoints for some commands to preserve the last indexed date. If you want to index events again, remove all the files in %SPLUNK_HOME%\var\lib\splunk\modinputs\scom
.
Configure direct events collection using the Splunk Add-on for Microsoft SCOM | PowerShell command/timestamp reference |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!