
Monitor Windows data with PowerShell scripts
PowerShell is a scripting language that comes with many versions of Windows. It lets you handle Windows operations from a command-line interface. You can create scripts with the language and output the results of those scripts as objects to other scripts.
Splunk Enterprise supports the monitoring of events received through PowerShell scripts. You can use the PowerShell input to run a single PowerShell command or reference a PowerShell script. Splunk Enterprise then indexes the output of these commands or scripts as events.
If you have Splunk Cloud and want to monitor script output, use the universal forwarder to consume the output and forward it to your Splunk Cloud deployment.
What do you need to monitor data with PowerShell scripts?
Activity | Required permissions |
---|---|
Monitor data with PowerShell scripts |
|
Configure inputs with configuration files
- Write a PowerShell command or script to capture the information you want.
- On the Splunk instance that is to run the script, open a PowerShell window.
- Copy
inputs.conf
from%SPLUNK_HOME%\etc\system\default
toetc\system\local
. - Open the
inputs.conf
and edit it to enable a Windows PowerShell input. - In the input, specify the command or the full path to your script in the
script
setting. - (Optional) Specify a schedule on which the command or script should run with the
schedule
setting. - Save
inputs.conf
. - Restart Splunk Enterprise to enable the input.
PowerShell input configuration values
Splunk uses the following stanzas in inputs.conf
to monitor data gathered by PowerShell.
Attribute | Description | Default |
---|---|---|
script
|
The PowerShell command or script file to execute.
When you specify a script file (.ps1), prepend the script name with a period and a space (". "). |
n/a
|
schedule
|
How often the command or script should execute.
You can specify either a number to indicate the interval, in seconds, or a valid |
Script runs once |
disabled
|
Whether or not to enable the input.
Set to 1 to disable and 0 to enable |
0 (enabled) |
Following are some examples of how to configure the input:
Single command example: This example runs the Get-Process
cmdlet and pipes that output to the Select-Object
cmdlet using the host name that Splunk software has been installed on as an argument. It runs the command every 5 minutes.
[powershell://Processes-EX1] script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}} schedule = */5 * * * * sourcetype = Windows:Process
Script example: This example runs the getprocesses.ps1
script located in %SPLUNK_HOME\etc\apps\My-App
. It sets the source type for these events to Windows:Process
. The script runs every 20 minutes from 9:00am to 4:40pm on Mondays to Fridays.
[powershell://Processes-EX2] script = . "$SplunkHome\etc\apps\My-App\bin\getprocesses.ps1" schedule = */20 * 9-16 * 1-5 sourcetype = Windows:Process
For information on writing PowerShell scripts, see Write scripts for the PowerShell input.
Configure inputs with Splunk Web
Splunk Web is only available with Splunk Enterprise. For universal forwarders, see Configure inputs with configuration files.
- Select Settings > Data inputs from the system bar.
- Select PowerShell v3 modular input.
- Click New.
- Enter an input name in the Name field.
- Enter a command or path to a script in the Command or Script Path field.
- Enter an interval or cron schedule in the Cron Schedule field.
- Click the More Settings checkbox to select the source type, host, and default index.
- Click Next.
Write scripts for the PowerShell input
Architecture
Splunk Enterprise provides one modular PowerShell input handler. The PowerShell handler supports Microsoft PowerShell version 3 and later.
The PowerShell modular input provides a single-instance, multi-threaded script host that provides a supporting schema, XML configuration through the stdin
stream, and XML streaming output.
You can define many PowerShell stanzas and run them simultaneously. You can schedule each stanza through the cron syntax. Because all scripts run within the same process, scripts share environment variables such as the current working directory.
Note: The input does not set a host variable in your PowerShell environment. When you write a script for the input, do not refer to $host
or use the Write-Host
or Out-Host
PowerShell cmdlets. Instead, use either the Write-Output
or Write-Error
cmdlets.
The input converts all output to key/value pairs based on public properties that are defined in the schema.
Splunk Enterprise also includes a PowerShell module called LocalStorage
, which exposes three cmdlets:
Get-LocalStoragePath
Export-LocalStorage
Import-LocalStorage
These cmdlets use the Splunk Enterprise checkpoint directory and let you maintain key/value pairs of data between scheduled runs of your script. Normally, data does not persist from one invocation to the next.
Specify paths
The input sets the SplunkHome
variable so you can easily address scripts in add-ons by writing paths like this:
[powershell://MSExchange_Health] script=. $SplunkHome/etc/apps/TA-Exchange-2010/powershell/health.ps1
Besides $SplunkHome
, there are several other read-only constant variables:
Variable | Description |
---|---|
SplunkServerName
|
The name configured for this machine to use in events |
SplunkServerUri
|
The Splunk Enterprise REST API address. |
SplunkSessionKey
|
The session key (authentication token) needed for accessing the Splunk Enterprise REST API. |
SplunkCheckpointPath
|
The path for storing persistent state |
SplunkServerHost
|
The name of the Splunk Enterprise instance that you want to communicate with. |
SplunkStanzaName
|
The name of the inputs.conf stanza that defined this script. |
Handle output of PowerShell scripts
Splunk Enterprise takes each object that your script produces as an output and turns it into an event, wrapped in <event> and <data> tags. Splunk Enterprise converts the properties of each object into key/value pairs. However, the value can only be a quoted string, converted by calling the .ToString()
method. Thus, the output must be simple, and you should flatten any complex nested objects in your script before the script outputs them.
There are a few special property names which have significance for Splunk Enterprise modular inputs and let you override the defaults in the inputs.conf stanza. They are:
Property | Description |
---|---|
SplunkIndex
|
Overrides the index that the output will be stored in. |
SplunkSource
|
Overrides the "source" for the ouput. |
SplunkHost
|
Overrides the "host" name for the output. |
SplunkSourceType
|
Overrides the "sourcetype" for the output. |
SplunkTime
|
Overrides the "time". If you do not specify this, all objects that your script generates in a single execution will get roughly the same timestamp. This is because the script holds the objects for output until it has finished executing, and then marks the objects with the output time. You must specify this value in epoch or POSIX time, which is a positive integer that represents the seconds that have elapsed since 0:00 UTC on Thursday, January 1, 1970. |
These properties never appear as objects in the key/value output.
If you want to set these properties and override the defaults, use a calculated expression with the Select-Object
cmdlet or use the Add-Member
cmdlet to add a NoteProperty
property.
Caveats for handling PowerShell script output
The input currently requires that any PowerShell scripts it executes produce output objects that do not have any script properties. Pipe output through the Select-Object
cmdlet to ensure proper formatting.
The input currently does not process the output of scripts until your pipeline and runspace are finished. This means the input does not process ScriptProperty
values. It also means that all of your output essentially has the same timestamp, unless you override it using the SplunkTime
variable.
When writing your scripts, avoid long-running scripts. Do not write scripts that wait for things to happen unless the scripts exit every time there is output.
PREVIOUS Monitor Windows performance |
NEXT Monitor Windows host information |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 7.0.11, 7.0.2, 7.0.3
Feedback submitted, thanks!