Splunk® Supported Add-ons

Splunk Add-on for Microsoft SCOM

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk Add-on for Microsoft SCOM

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Event indexing lags with the Splunk Add-on for Microsoft SCOM on Splunk 7.2.x or earlier

Splunk 7.3.x has an improvement in the core PowerShell module. To take advantage of this improvement:

  1. Disable all data inputs which are currently running.
  2. Stop Splunk.
  3. Upgrade to Splunk 7.3 or higher.
  4. Upgrade the Splunk Add-on for Microsoft SCOM to version 2.3.0
  5. Start Splunk.
  6. Enable the configured data inputs.

Custom source types

If you attempt to override the default source types set by this add-on, be aware that some functionality may fail, including CIM mapping, prebuilt panels, checkpoints, and timestamps. For all inputs configured using group metrics, source type overrides are not accepted to preserve this functionality.

Missing data

If your Splunk platform search results are missing data for certain objects in your SCOM that you expect based on the inputs you enabled, consult with your Microsoft SCOM administrator to ensure that SCOM is configured so that these objects are created. The Splunk Add-on for Microsoft SCOM uses only GET commands to return lists of objects. In some cases, the SCOM admin must create the objects first by using ADD commands manually. For example, if you have configured an input to use the Get-SCOMNotificationChannel, the input only produces data if a SCOM admin has previously called the command Add-SCOMNotificationChannel manually.

Add-on logs

The Splunk Add-on for Microsoft SCOM has a log located at %SPLUNK_HOME%\var\log\splunk\ta_scom.log.

For errors regarding invalid commands, params, or other exceptions, search for

index=_internal source=*ta_scom.log

For remote management server connection errors, search for

index=_internal source=*ta_scom.log New SCOMManagementGroupConnection Fail

Logging Levels

The Splunk Add-on for Microsoft SCOM allows you to configure logging levels in the configuration UI or in microsoft_scom.conf. Allowed log levels are DEBUG, WARN, and ERROR. The default is WARN. To configure logging using the UI:

  1. Go to Splunk Web on your data collection node.
  2. Click Splunk Add-on for Microsoft SCOM on the left side to access the Splunk Add-on for Microsoft SCOM configuration UI.
  3. Click Configuration, then Logging and select a logging level from the drop-down menu.

PowerShell logs

A PowerShell log is provided here: %SPLUNK_HOME%\var\log\splunk\splunk-powershell.ps1.log.

For errors that occur when PowerShell calls the SCOM scripts, search for

index=_internal source=*powershell*.log

Cron expression format

The add-on is configured to expect cron expressions in the Quartz Scheduler format rather than the Unix standard.

See http://www.quartz-scheduler.org/documentation/quartz-2.x/tutorials/crontrigger.html for complete documentation.

Re-indexing events

The Splunk Add-on for Microsoft SCOM saves checkpoints for some commands to preserve the last indexed date. If you want to index events again, remove all the files in %SPLUNK_HOME%\var\lib\splunk\modinputs\scom.

PREVIOUS
Configure inputs for the Splunk Add-on for Microsoft SCOM
  NEXT
PowerShell command/timestamp reference

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters