Getting Data In

PowerShell Modular Input Schedule Parameter

Kendo213
Communicator

7.0.0.2 Forwarder, with the following schedule specified in the inputs.conf for a PowerShell input: schedule = */5 * * * *

This resulted in the following run times in the last 24 hours:

4:15 AM, 4:20 AM, 5:15 AM, 6:15 AM,6:20 Am, 7:15 AM, 8:20 AM.

I have opened a ticket, however I wanted to see if anyone could decipher why that happened with the cron expression I'm using.

0 Karma

Kendo213
Communicator

And -- just to add -- perhaps I'm just doing something completely wrong. Why else would it be stripping the 6th position from the cron and calling it invalid?

I've created an app in /etc/apps/specialapp with a bin folder, and a local folder.

The bin obviously contains the script. The local folder contains inputs.conf which contains the following:

[powershell://checkdnsext]
script = . "$SplunkHome\etc\apps\specialapp\bin\checkdnsext.ps1"
schedule = 0 0/5 * * * ?
sourcetype = ourcompany:powershell
source = Powershell
index = test
disabled = false

0 Karma

xpac
SplunkTrust
SplunkTrust

I'm surprised that the input is running at all. Common inputs have 5 positions.
Powershell inputs however use the Quartz Syntax, so they have 6 positions:

Check this manual for details:
https://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html

Edit: If you change your crown format, it should work properly. <- Only true for the Powershell add-on.

0 Karma

Kendo213
Communicator

There seems to be confusion about what the Powershell inputs require from a schedule perspective. The quartz requirement seems to stem from the old Add-on for Powershell that is out on Splunk base.

http://www.cronmaker.com/ creates quartz based expressions, however if you use those expressions, splunkd.log will report it as invalid. For example, they say to use 0 0/5 * * * ? to trigger every 5 minutes. That results in the error below when restarting the forwarder:

05-05-2018 09:32:25.199 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza checkdnsext. Invalid cron schedule:

0/5 * * * *

Also, please refer back to my original post. Splunk forums was stripping out a part of my cron schedule.

0 Karma

xpac
SplunkTrust
SplunkTrust

Hey, you're right, I missed that part.
I've to admit I don't know why there's a Powershell add-on when Powershell support is already built-in.
The built-in seems to use the 5 positions, so, yeah, yours should work (and also, it seems to work, if not reliable.
You could try setting schedule = 300 to run it every 300 seconds, also the execution time wouldn't be aligned to :*5 and :*0. Also, you could try to search index=_internal host=yourhost ExecProcessor to see when the ExecProcesor schedules your input and for what time/schedule - maybe you can see any strange behavior in those logs.

0 Karma

Kendo213
Communicator

Do you have any logs in your systems that show ExecProcessor scheduling powershell inputs? I only see logs for the input if the cron is invalid, otherwise it doesn't mention that it has scheduled anything.

0 Karma

Kendo213
Communicator

Yeah this is all very confusing, and the documentation you find isn't clear, and contradictory in some spots. I'll give those a shot, I didn't know about that _internal search. Thanks for the responses

0 Karma

Kendo213
Communicator

It seems to strip out the 6th position in the Cron for a [powershell://test] stanza.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...