I have an add-on that I'm deploying on Windows systems. inputs.conf looks like this:
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\Powershell_add_on\bin\Get-Policies.ps1
schedule = 0 * * *
sourcetype = WindowsPowershell
index = test
disabled = 0
I want this to run at every minute 0, every hour.
But It runs only once when I start Universal Forwarder. Then, when I restart forwarder, it runs again and only once. When forwarder is working for 2 or more hours(script should run at least 2 times) just nothing happens.
How can I make scripts run on schedule?
looking at your
schedule = 0 * * * entry it looks like your are missing one additional
* . Therefore this is not a valid cron schedule and Splunk uses the default option for schedule. From the docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
schedule = [<number>|<cron schedule>] * How often to run the specified PowerShell command or script. * You can specify a number in seconds, or provide a valid cron schedule. * Defaults to running the command or script once, at startup.
Find more details on valid cron notation here https://en.wikipedia.org/wiki/Cron#Overview
Hope this helps ...
I'm having a similar issue. Basically I've configured it to run every 5 minutes (splunkd doesn't say it's an invalid cron), however it only runs once at start. Sometimes it will run once at start, and then 5 minutes later (so I know the cron is correct) but then never again. If I do it the old way (i.e. cmd and invoking powershell) it works fine.