Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I make the Powershell add-on script's run on a schedule?

eduardKiyko
Explorer
‎04-24-2018 06:18 AM

I have an add-on that I'm deploying on Windows systems. inputs.conf looks like this:
[powershell://Processes-EX1]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\Powershell_add_on\bin\Get-Policies.ps1
schedule = 0 * * *
sourcetype = WindowsPowershell
index = test
disabled = 0
I want this to run at every minute 0, every hour.
But It runs only once when I start Universal Forwarder. Then, when I restart forwarder, it runs again and only once. When forwarder is working for 2 or more hours(script should run at least 2 times) just nothing happens.
How can I make scripts run on schedule?

Reply

MuS
Legend
‎06-24-2018 01:44 PM

Hi eduardKiyko,

looking at your schedule = 0 * * * entry it looks like your are missing one additional * . Therefore this is not a valid cron schedule and Splunk uses the default option for schedule. From the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf 

schedule = [<number>|<cron schedule>]
* How often to run the specified PowerShell command or script.
* You can specify a number in seconds, or provide a valid cron
  schedule.
* Defaults to running the command or script once, at startup.

Find more details on valid cron notation here https://en.wikipedia.org/wiki/Cron#Overview

Hope this helps ...

cheers, MuS

Reply

kamal_jagga
Contributor
‎06-24-2018 01:15 PM

In the inputs.conf make the following entry to run it every 30 mins (30*60). default is 5 mins.

interval = 1800

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf

0 Karma
Reply

Kendo213
Communicator
‎05-04-2018 05:16 PM

I'm encountering the same issue. Did you find a resolution?

0 Karma
Reply

paulathome
Path Finder
‎05-04-2018 05:26 PM

Nope, not yet. Using Task Scheduler for now... (It's only on one machine.)

0 Karma
Reply

Kendo213
Communicator
‎05-04-2018 05:35 PM

I'm having a similar issue. Basically I've configured it to run every 5 minutes (splunkd doesn't say it's an invalid cron), however it only runs once at start. Sometimes it will run once at start, and then 5 minutes later (so I know the cron is correct) but then never again. If I do it the old way (i.e. cmd and invoking powershell) it works fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top