I have a somewhat complex process I'm trying to get working. The synopsis is this: I have a report that generates a list of machines Splunk has not heard from in at least 12 hours. This report runs on the Search Head, a linux server. That report is piped to a CSV file using outputcsv. I then have a Heavy Forwarder running on a Windows server. On the HF, I wrote a powershell script that retrieves the CSV file, parses the machines, does some powershell 'magic', and then uploads the results to the SH in a new CSV as a lookup table in the Search app. The initial report works fine, and the Powershell script works when I run it from the command line of the HF. However, I want to automate the powershell script and I've been trying to do it in Splunk on the HF using the powershell add-on. I'm currently on 6.2 on all my servers.
So the add-on is installed on the HF and I created an inputs.conf file with the following:
[powershell://check-service]
script = . "c:\Tools\Powershell\test\check_service.ps1"
schedule = 30 */12 * * *
sourcetype = CheckService
Splunk is running on the Windows HF with the same account I'm doing the troubleshooting with. The execution policy for the account is unrestricted.
So I've looked through several of the entries talking about troubleshooting powershell scripts and so my first question is this: I wanted to look at the errors and one of the other entries said to check the powershell logs by running the following search:
index=_internal source="*powershell*.log"
But running this on the SH yields no results. Am I searching for the powershell logs in the wrong place? Are there no logs because I haven't set up the add-on correctly?
I also tried `index=_internal source="*powershell*"` and `index=_internal source="*.ps1"` but neither of those searches yielded anything.
Any other suggestions on how to troubleshoot? Any ideas on why this script isn't running?
Thanks.
↧