In the first part of this series, we discussed using a .env file to obtain a Splunk HEC token and our Splunk URL. These two pieces of information are going to need to make their way into our POST request to Splunk. Be sure to read Part I if you haven’t already.
The next thing we need to do is pull in a hash table from the disk. The reason I’ve done it this way is to ensure I had a hash table to use without having to create it. It was a quicker way to work with my code, as I was still in the development and testing phase. In production, the hash table would be created not from the disk/stale data, but from real-time data collection.
#region: Read clixml .xml file and obtain hashtable. $HashTablePath = 'C:\Users\tommymaynard\Documents\_Repos\code\functiontemplate\random\telemetry\eventhashtable.xml' $EventHashTable = Import-Clixml -Path $HashTablePath #endregion.
The above code does two things: One, it sets the $HashTablePath variable to an XML file. This file was created previously using Export-Clixml. The second thing it does is import the XML file using Import-Clixml. So, what’s in the file and what are we doing here? As we’ll see later, we’re going to use a hash table—an in-memory data structure to store key-value pairs—and get that converted (to something else) and sent to Splunk.
This isn’t just any hash table, so let’s take a look at what’s stored in the $EventHashTable variable once these two lines of code are complete.
$EventHashTable
Name Value
---- -----
event {OperatingSystemPlatform, IPAddressPublic, Command:0, PSVersionOther…}
sourcetype Telemetry
host mainpc.tommymaynard.com\TOMMYCOMPUTER
time 1608148655
source PowerShellFunctionTemplate
If you’ve worked with PowerShell hash tables before, then you’ll probably recognize that there’s a nested hash table inside this hash table. That, or at minimum, that one of the values doesn’t seem right. This nested hash table is stored as the value for the event key. The four other keys — host, time, source, and sourcetype — are standard key-value pairs that have values that are not nested hash tables. Let’s take a look at the key-value pairs inside the nested hash table. We can use dotted notation to view the values stored in each key.
$EventHashTable.host
mainpc.tommymaynard.com\TOMMYCOMPUTER
$EventHashTable.time; $EventHashTable.source
1608148655 PowerShellFunctionTemplate
$EventHashTable.sourcetype
Telemetry
Now, let’s view the key-value pairs stored inside the nested hash table. Then we’ll run through how we’re able to nest a hash table inside another hash table before it was saved to disk using Export-Clixml.
$EventHashTable.event
Name Value ---- ----- OperatingSystemPlatform Win32NT IPAddress 64.204.192.66 Command:0:CommandName New-FunctionTemplate PSVersionAdditional Windows PowerShell 5.1.19041.610 DateTime Wed. 12/16/2020 12:57:35 PM Command:0:Parameter:1 PassThru:True Template FunctionTemplate 3.4.7 Command:0:CommandType Function IPAddressAdditional 192.168.86.127 Command:0:Parameter:0 Log:ToScreen Duration 0:00:00:00.9080064 Domain\Username mainpc.tommymaynard.com\tommymaynard CommandName New-FunctionTemplate ModuleName Domain\Computer mainpc.tommymaynard.com\TOMMYCOMPUTER OperatingSystem Microsoft Windows 10.0.19041 PSVersion PowerShell 7.1.0 PSHostProgram ConsoleHost
Look at all that data! It’s beautiful (although not completely accurate, so that it may be posted here). When it’s not pulled from the disk/stale data, such as in this example, it’s being gathered by a function during its invocation, and then it’s sent off to Splunk! Because Splunk is involved, it’s important to understand why we’ve set up the hash tables the way we have. The host, time, source, and sourcetype keys in the top-level hash table are what Splunk calls event metadata (scroll down to Event Metadata). It’s optional to send in this data, but for me, it made sense. I wanted to guarantee that I had control over these values versus what their default values might be. The nested hash table is the event data. It’s not data about data, such as metadata is; it’s the data we collected and want Splunk to retain.
We’re going to wrap this part up, but I do want to provide how I got a hash table to nest inside of another hash table. We won’t bother working with the complete information above, but I’ll explain what you need to know. Here’s our downsized event hash table.
$Event = @{
OperatingSystemPlatform = 'Win32NT'
PSVersion = 'PowerShell 7.0.1'
PSHostProgram = 'ConsoleHost'
}
And here it is, stored in the $Event variable and being used as a value in the parent, or previously used term, top-level hash table.
$EventHashTable = @{
event = $Event
host = 'mainpc.tommymaynard.com\TOMMYCOMPUTER'
time = [int](Get-Date -Date (Get-Date) -UFormat %s)
source = 'PowerShellFunctionTemplate'
sourcetype = 'Telemetry'
}
$EventHashTable
Name Value
---- -----
source PowerShellFunctionTemplate
sourcetype Telemetry
host mainpc.tommymaynard.com\TOMMYCOMPUTER
event {OperatingSystemPlatform, PSHostProgram, PSVersion}
time 1608148655
If you opt to include the time event metadata, do recognize that it uses, and expects, epoch time. This is the number of seconds after epoch, or June 1, 1970, 00:00:00 UTC. The -UFormat parameter with the %s parameter value will return this value. I believe this was added in Windows PowerShell 3.0, so if you have a client with an earlier version, first, I’m sorry, and second, there’s another way to obtain this value without the UFormat parameter: think datetime subtraction.
Okay, check back for more; there’s still plenty left to cover. Part III will be up soon!
Edit: Part III is now available.