Splunk® Supported Add-ons

Splunk Add-on for Microsoft SCOM

Troubleshoot the Splunk Add-on for Microsoft SCOM

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.


Custom source types

If you attempt to override the default source types set by this add-on, be aware that some functionality may fail, including CIM mapping, prebuilt panels, checkpoints, and timestamps. For all inputs configured using group metrics, source type overrides are not accepted to preserve this functionality.

Missing data

If your Splunk platform search results are missing data for certain objects in your SCOM that you expect based on the inputs you enabled, consult with your Microsoft SCOM administrator to ensure that SCOM is configured so that these objects are created. The Splunk Add-on for Microsoft SCOM uses only GET commands to return lists of objects. In some cases, the SCOM admin must create the objects first by using ADD commands manually. For example, if you have configured an input to use the Get-SCOMNotificationChannel, the input only produces data if a SCOM admin has previously called the command Add-SCOMNotificationChannel manually.

Add-on logs

The Splunk Add-on for Microsoft SCOM has a log located at %SPLUNK_HOME%\var\log\splunk\ta_scom.log.

For errors regarding invalid commands, params, or other exceptions, search for

index=_internal source=*ta_scom.log

For remote management server connection errors, search for

index=_internal source=*ta_scom.log New SCOMManagementGroupConnection Fail

For server validation related errors, search for

index=_internal sourcetype=ms:scom:log:server_validation

For input validation related errors, search for

index=_internal sourcetype=ms:scom:log:input_validation

For performance filter parameter validation related errors, search for

index=_internal sourcetype=ms:scom:log:performance_filter_parameter_validation

Logging Levels

The Splunk Add-on for Microsoft SCOM allows you to configure logging levels in the configuration UI or in microsoft_scom.conf. Allowed log levels are DEBUG, WARN, and ERROR. The default is WARN. To configure logging using the UI:

  1. Go to Splunk Web on your data collection node.
  2. Click Splunk Add-on for Microsoft SCOM on the left side to access the Splunk Add-on for Microsoft SCOM configuration UI.
  3. Click Configuration, then Logging and select a logging level from the drop-down menu.

PowerShell logs

A PowerShell log is provided here: %SPLUNK_HOME%\var\log\splunk\splunk-powershell.ps1.log.

For errors that occur when PowerShell calls the SCOM scripts, search for

index=_internal source=*powershell*.log

Cron expression format

The add-on is configured to expect cron expressions in the Quartz Scheduler format rather than the Unix standard.

See the Quartz documentation for complete documentation.

Re-indexing events

The Splunk Add-on for Microsoft SCOM saves checkpoints for some commands to preserve the last indexed date. If you want to index events again, remove all the files in %SPLUNK_HOME%\var\lib\splunk\modinputs\scom.

Last modified on 26 August, 2024
Configure direct events collection using the Splunk Add-on for Microsoft SCOM   PowerShell command/timestamp reference

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters