Getting Data In
Highlighted

PowerShell Modular Input Schedule Parameter

Communicator

7.0.0.2 Forwarder, with the following schedule specified in the inputs.conf for a PowerShell input: schedule = */5 * * * *

This resulted in the following run times in the last 24 hours:

4:15 AM, 4:20 AM, 5:15 AM, 6:15 AM,6:20 Am, 7:15 AM, 8:20 AM.

I have opened a ticket, however I wanted to see if anyone could decipher why that happened with the cron expression I'm using.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

SplunkTrust
SplunkTrust

I'm surprised that the input is running at all. Common inputs have 5 positions.
Powershell inputs however use the Quartz Syntax, so they have 6 positions:

Check this manual for details:
https://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html

Edit: If you change your crown format, it should work properly. <- Only true for the Powershell add-on.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

There seems to be confusion about what the Powershell inputs require from a schedule perspective. The quartz requirement seems to stem from the old Add-on for Powershell that is out on Splunk base.

http://www.cronmaker.com/ creates quartz based expressions, however if you use those expressions, splunkd.log will report it as invalid. For example, they say to use 0 0/5 * * * ? to trigger every 5 minutes. That results in the error below when restarting the forwarder:

05-05-2018 09:32:25.199 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza checkdnsext. Invalid cron schedule:

0/5 * * * *

Also, please refer back to my original post. Splunk forums was stripping out a part of my cron schedule.

0 Karma

Re: PowerShell Modular Input Schedule Parameter

Communicator

It seems to strip out the 6th position in the Cron for a [powershell://test] stanza.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

SplunkTrust
SplunkTrust

Hey, you're right, I missed that part.
I've to admit I don't know why there's a Powershell add-on when Powershell support is already built-in.
The built-in seems to use the 5 positions, so, yeah, yours should work (and also, it seems to work, if not reliable.
You could try setting schedule = 300 to run it every 300 seconds, also the execution time wouldn't be aligned to :5 and :0. Also, you could try to search index=_internal host=yourhost ExecProcessor to see when the ExecProcesor schedules your input and for what time/schedule - maybe you can see any strange behavior in those logs.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

Yeah this is all very confusing, and the documentation you find isn't clear, and contradictory in some spots. I'll give those a shot, I didn't know about that _internal search. Thanks for the responses

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

Do you have any logs in your systems that show ExecProcessor scheduling powershell inputs? I only see logs for the input if the cron is invalid, otherwise it doesn't mention that it has scheduled anything.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

And -- just to add -- perhaps I'm just doing something completely wrong. Why else would it be stripping the 6th position from the cron and calling it invalid?

I've created an app in /etc/apps/specialapp with a bin folder, and a local folder.

The bin obviously contains the script. The local folder contains inputs.conf which contains the following:

[powershell://checkdnsext]
script = . "$SplunkHome\etc\apps\specialapp\bin\checkdnsext.ps1"
schedule = 0 0/5 * * * ?
sourcetype = ourcompany:powershell
source = Powershell
index = test
disabled = false

0 Karma