Getting Data In

How can I make the Powershell add-on script's run on a schedule?

eduardKiyko
Explorer

I have an add-on that I'm deploying on Windows systems. inputs.conf looks like this:
[powershell://Processes-EX1]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\Powershell_add_on\bin\Get-Policies.ps1
schedule = 0 * * *
sourcetype = WindowsPowershell
index = test
disabled = 0
I want this to run at every minute 0, every hour.
But It runs only once when I start Universal Forwarder. Then, when I restart forwarder, it runs again and only once. When forwarder is working for 2 or more hours(script should run at least 2 times) just nothing happens.
How can I make scripts run on schedule?

MuS
Legend

Hi eduardKiyko,

looking at your schedule = 0 * * * entry it looks like your are missing one additional * . Therefore this is not a valid cron schedule and Splunk uses the default option for schedule. From the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

schedule = [<number>|<cron schedule>]
* How often to run the specified PowerShell command or script.
* You can specify a number in seconds, or provide a valid cron
  schedule.
* Defaults to running the command or script once, at startup.

Find more details on valid cron notation here https://en.wikipedia.org/wiki/Cron#Overview

Hope this helps ...

cheers, MuS

kamal_jagga
Contributor

In the inputs.conf make the following entry to run it every 30 mins (30*60). default is 5 mins.

interval = 1800

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf

0 Karma

Kendo213
Communicator

I'm encountering the same issue. Did you find a resolution?

0 Karma

paulathome
Path Finder

Nope, not yet. Using Task Scheduler for now... (It's only on one machine.)

0 Karma

Kendo213
Communicator

I'm having a similar issue. Basically I've configured it to run every 5 minutes (splunkd doesn't say it's an invalid cron), however it only runs once at start. Sometimes it will run once at start, and then 5 minutes later (so I know the cron is correct) but then never again. If I do it the old way (i.e. cmd and invoking powershell) it works fine.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...