Splunk Cloud

Getting Data In

Download manual as PDF

Download topic as PDF

Monitor Windows data with PowerShell scripts

PowerShell is a scripting language that comes with many versions of Windows. It lets you handle Windows operations from a command-line interface. You can create scripts with the language and output the results of those scripts as objects to other scripts.

Splunk Enterprise supports the monitoring of events received through PowerShell scripts. You can use the PowerShell input to run a single PowerShell command or reference a PowerShell script. Splunk Enterprise then indexes the output of these commands or scripts as events.

If you have Splunk Cloud and want to monitor script output, use the universal forwarder to consume the output and forward it to your Splunk Cloud deployment.

What do you need to monitor data with PowerShell scripts?

Activity Required permissions
Monitor data with PowerShell scripts
  • Splunk Enterprise or the universal forwarder must be run on Windows.
  • The Splunk service must be configured to use the Local System user to run all PowerShell scripts.
  • PowerShell v3.0 or later must be installed on the host.
    Microsoft .NET version 4.5 or later must be installed on the host.

Configure inputs with configuration files

  1. Write a PowerShell command or script to capture the information you want.
  2. On the Splunk instance that is to run the script, open a PowerShell window.
  3. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local.
  4. Open the inputs.conf and edit it to enable a Windows PowerShell input.
  5. In the input, specify the command or the full path to your script in the script setting.
  6. (Optional) Specify a schedule on which the command or script should run with the schedule setting.
  7. Save inputs.conf.
  8. Restart Splunk Enterprise to enable the input.

PowerShell input configuration values

Splunk uses the following stanzas in inputs.conf to monitor data gathered by PowerShell.

Attribute Description Default
script The PowerShell command or script file to execute.

When you specify a script file (.ps1), prepend the script name with a period and a space (". ").

n/a
schedule How often the command or script should execute.

You can specify either a number to indicate the interval, in seconds, or a valid cron schedule format.

Script runs once
disabled Whether or not to enable the input.

Set to 1 to disable and 0 to enable

0 (enabled)

Following are some examples of how to configure the input:

Single command example: This example runs the Get-Process cmdlet and pipes that output to the Select-Object cmdlet using the host name that Splunk software has been installed on as an argument. It runs the command every 5 minutes.

    [powershell://Processes-EX1]
    script = Get-Process | Select-Object Handles, NPM, PM, WS, VM, Id, ProcessName, @{n="SplunkHost";e={$Env:SPLUNK_SERVER_NAME}}
    schedule = */5 * * * *
    sourcetype = Windows:Process

Script example: This example runs the getprocesses.ps1 script located in %SPLUNK_HOME\etc\apps\My-App. It sets the source type for these events to Windows:Process. The script runs every 20 minutes from 9:00am to 4:40pm on Mondays to Fridays.

    [powershell://Processes-EX2]
    script = . "$SplunkHome\etc\apps\My-App\bin\getprocesses.ps1"
    schedule = */20 * 9-16 * 1-5
    sourcetype = Windows:Process

For information on writing PowerShell scripts, see Write scripts for the PowerShell input.

Configure inputs with Splunk Web

Splunk Web is only available with Splunk Enterprise. For universal forwarders, see Configure inputs with configuration files.

  1. Select Settings > Data inputs from the system bar.
  2. Select PowerShell v3 modular input.
  3. Click New.
  4. Enter an input name in the Name field.
  5. Enter a command or path to a script in the Command or Script Path field.
  6. Enter an interval or cron schedule in the Cron Schedule field.
  7. Click the More Settings checkbox to select the source type, host, and default index.
  8. Click Next.

Write scripts for the PowerShell input

Architecture

Splunk Enterprise provides one modular PowerShell input handler. The PowerShell handler supports Microsoft PowerShell version 3 and later.

The PowerShell modular input provides a single-instance, multi-threaded script host that provides a supporting schema, XML configuration through the stdin stream, and XML streaming output.

You can define many PowerShell stanzas and run them simultaneously. You can schedule each stanza through the cron syntax. Because all scripts run within the same process, scripts share environment variables such as the current working directory.

Note: The input does not set a host variable in your PowerShell environment. When you write a script for the input, do not refer to $host or use the Write-Host or Out-Host PowerShell cmdlets. Instead, use either the Write-Output or Write-Error cmdlets.

The input converts all output to key/value pairs based on public properties that are defined in the schema.

Splunk Enterprise also includes a PowerShell module called LocalStorage, which exposes three cmdlets:

  • Get-LocalStoragePath
  • Export-LocalStorage
  • Import-LocalStorage

These cmdlets use the Splunk Enterprise checkpoint directory and let you maintain key/value pairs of data between scheduled runs of your script. Normally, data does not persist from one invocation to the next.

Specify paths

The input sets the SplunkHome variable so you can easily address scripts in add-ons by writing paths like this:

    [powershell://MSExchange_Health]
    script=. $SplunkHome/etc/apps/TA-Exchange-2010/powershell/health.ps1

Besides $SplunkHome, there are several other read-only constant variables:

Variable Description
SplunkServerName The name configured for this machine to use in events
SplunkServerUri The Splunk Enterprise REST API address.
SplunkSessionKey The session key (authentication token) needed for accessing the Splunk Enterprise REST API.
SplunkCheckpointPath The path for storing persistent state
SplunkServerHost The name of the Splunk Enterprise instance that you want to communicate with.
SplunkStanzaName The name of the inputs.conf stanza that defined this script.

Handle output of PowerShell scripts

Splunk Enterprise takes each object that your script produces as an output and turns it into an event, wrapped in <event> and <data> tags. Splunk Enterprise converts the properties of each object into key/value pairs. However, the value can only be a quoted string, converted by calling the .ToString() method. Thus, the output must be simple, and you should flatten any complex nested objects in your script before the script outputs them.

There are a few special property names which have significance for Splunk Enterprise modular inputs and let you override the defaults in the inputs.conf stanza. They are:

Property Description
SplunkIndex Overrides the index that the output will be stored in.
SplunkSource Overrides the "source" for the ouput.
SplunkHost Overrides the "host" name for the output.
SplunkSourceType Overrides the "sourcetype" for the output.
SplunkTime Overrides the "time". If you do not specify this, all objects that your script generates in a single execution will get roughly the same timestamp. This is because the script holds the objects for output until it has finished executing, and then marks the objects with the output time. You must specify this value in epoch or POSIX time, which is a positive integer that represents the seconds that have elapsed since 0:00 UTC on Thursday, January 1, 1970.

These properties never appear as objects in the key/value output.

If you want to set these properties and override the defaults, use a calculated expression with the Select-Object cmdlet or use the Add-Member cmdlet to add a NoteProperty property.

Caveats for handling PowerShell script output

The input currently requires that any PowerShell scripts it executes produce output objects that do not have any script properties. Pipe output through the Select-Object cmdlet to ensure proper formatting.

The input currently does not process the output of scripts until your pipeline and runspace are finished. This means the input does not process ScriptProperty values. It also means that all of your output essentially has the same timestamp, unless you override it using the SplunkTime variable.

When writing your scripts, avoid long-running scripts. Do not write scripts that wait for things to happen unless the scripts exit every time there is output.

Last modified on 29 May, 2020
PREVIOUS
Monitor Windows performance
  NEXT
Monitor Windows host information

This documentation applies to the following versions of Splunk Cloud: 7.0.11, 7.0.13, 7.2.10, 8.0.2003, 8.0.2004, 8.0.2006, 8.0.2007, 8.1.2008


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters