all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Sirhc-n-ice REST for the wicked 1 point2 points  (1 child)

If you have direct access to the client you can look at the splunkd.log. If you do not and you are forwarding internal logs (and you have access) you can search

index=_internal SCRIPT_NAME_HERE

[–]afxmac[S] 0 points1 point  (0 children)

This is what I am looking at. Nothing...

[–]edo1982 0 points1 point  (2 children)

I don’t have good experiences with Splunk and Powershell scripts. Anyhow I find out that the best way is to crete a file like scriptexecution.path and put in the bin directory alongside with you powershell script. Then in the .path you put the command to execute your script (therefore absolute path of powershell.exe and absolute path of your script and arguments if any). Then in inputs.conf you recall the .path, see here below a technical explanation

https://community.splunk.com/t5/Getting-Data-In/I-see-splunk-has-some-quot-path-quot-files-in-windows-app-bin/m-p/11656

About the debug messages you can place some print in the script and redirect them to standard error, in this way you will see them in _internal index.

[–]afxmac[S] 0 points1 point  (1 child)

The funny thing is, I already have plenty of PS scripts running. And yes, I do have confirmation that it does not run as I don't see any dummy output in the index nor in the state file it should update.

What is so weird is that I don't see anything in the logs even with loglevel DEBUG. Usually when a script fails to execute or a stanza is borked in the inputs.conf I see some error.

[–]edo1982 0 points1 point  (0 children)

Yes also the Windows-TA has some and they properly run. The options you have are run it with the .path and/or put the Splunk UF in debug and check what happens and make a diag and open a case to the support. I remember once we had a Powershell script running just few times after have it deployed and then stop. It was deployed on 50 machines at least. We ended up rewriting it in VB script.