Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Gather Elastic status output into Powershell to query

We are looking for a way of reporting back on the status of our Elastic agents via PDQ inventory.  Currently we have the ability to run the command elastic-agent status and get an output either in human readable format or JSON.  The output looks something like this: 

:\Program Files\Elastic\Agent>elastic-agent.exe status --output json

{

"Status": 2,

"Message": "",

"Applications": [

{

"ID": "endpoint-security--8.3.3-xxxxxxxx",

"Name": "endpoint-security",

"Status": 2,

"Message": "Protecting with policy {0b6837ac-06fd-4e5e-8137-xxxxxxxxxxxxxf}",

"Payload": null

},

{

"ID": "filebeat--8.3.3-4b3087ec",

"Name": "filebeat",

"Status": 2,

"Message": "Running",

"Payload": null

}

]

}

 

Out of that data really we only care about the two status fields that are currently showing status = 2 (which means connected).  I would very much like to be able to push this through a powershell scanner and be able to query on the status field but having a hard time making it all work.  Any suggestions from the group how to format the output where powershell scanner could properly place it in the database for query?

0

Comments

2 comments
Date Votes
  • Something like this?

    Set-Location 'C:\Program Files\Elastic\Agent'

    $AgentJson = elastic-agent.exe status --output json | ConvertFrom-Json

    $AgentJson.Applications | Select-Object 'Name', 'Status'
    1
  • I was far over-complicating this.  Your command works perfectly.  Thank you

    0