Gather Elastic status output into Powershell to query

We are looking for a way of reporting back on the status of our Elastic agents via PDQ inventory.  Currently we have the ability to run the command elastic-agent status and get an output either in human readable format or JSON.  The output looks something like this: 

:\Program Files\Elastic\Agent>elastic-agent.exe status --output json

{

"Status": 2,

"Message": "",

"Applications": [

{

"ID": "endpoint-security--8.3.3-xxxxxxxx",

"Name": "endpoint-security",

"Status": 2,

"Message": "Protecting with policy {0b6837ac-06fd-4e5e-8137-xxxxxxxxxxxxxf}",

"Payload": null

},

{

"ID": "filebeat--8.3.3-4b3087ec",

"Name": "filebeat",

"Status": 2,

"Message": "Running",

"Payload": null

}

]

}

 

Out of that data really we only care about the two status fields that are currently showing status = 2 (which means connected).  I would very much like to be able to push this through a powershell scanner and be able to query on the status field but having a hard time making it all work.  Any suggestions from the group how to format the output where powershell scanner could properly place it in the database for query?

0

Comments

2 comments
Date Votes
  • Something like this?

    Set-Location 'C:\Program Files\Elastic\Agent'

    $AgentJson = elastic-agent.exe status --output json | ConvertFrom-Json

    $AgentJson.Applications | Select-Object 'Name', 'Status'
    1
  • I was far over-complicating this.  Your command works perfectly.  Thank you

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post