CRON ISSUE

jip31 · ‎05-28-2018

Hi

I use a PowerShell script in my SPL command in order to check the ping status of different machines
It works but i think results are not good
i expain : when i launch my SPL command i have machines in offline status or in online status. Normal
but when i m launching the PowerShell alone in the same time a machine can be offline in splunk but online with PowerShell!
the cron i use for executing the PowerShell is */1 * * * *
what i have to do in order to have the same results please??

DalJeanis · ‎06-30-2018

I don't see any reason to assume that it is a cron issue. I would start by determining at some exact time where splunk says the machine is in one state and Powershell says it is a different state. Note whether it is always one direction, or whether it goes both ways.

There is at least one potential condition in each direction where differences would be valid :

1) If the machine is online but splunk is offline on that machine, then a ping will reach the machine, but splunk will not consider the machine to be up.
2) If the OS executing the ping has lost connectivity to the network, but Splunk has NOT lost connectivity to the network, then the machine will not show as online to the OS but will show online to Splunk.

There are a dozen more scenarios that might happen, depending on the particulars of your configuration. Please post more details, but first verify, in some examples where the detected states differed, verify exactly how the two systems might believe that the system was down at that moment, and see whether it was.

woodcock · ‎06-30-2018

We need more details. Show inputs.conf and your searches.

Rob2520 · ‎06-30-2018

How often do you want to run the script?

CRON ISSUE

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!