Getting Data In
Highlighted

PowerShell Modular Input Schedule Parameter

Communicator

7.0.0.2 Forwarder, with the following schedule specified in the inputs.conf for a PowerShell input: schedule = */5 * * * *

This resulted in the following run times in the last 24 hours:

4:15 AM, 4:20 AM, 5:15 AM, 6:15 AM,6:20 Am, 7:15 AM, 8:20 AM.

I have opened a ticket, however I wanted to see if anyone could decipher why that happened with the cron expression I'm using.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

SplunkTrust
SplunkTrust

I'm surprised that the input is running at all. Common inputs have 5 positions.
Powershell inputs however use the Quartz Syntax, so they have 6 positions:

Check this manual for details:
https://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial/crontriggers.html

Edit: If you change your crown format, it should work properly. <- Only true for the Powershell add-on.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

There seems to be confusion about what the Powershell inputs require from a schedule perspective. The quartz requirement seems to stem from the old Add-on for Powershell that is out on Splunk base.

http://www.cronmaker.com/ creates quartz based expressions, however if you use those expressions, splunkd.log will report it as invalid. For example, they say to use 0 0/5 * * * ? to trigger every 5 minutes. That results in the error below when restarting the forwarder:

05-05-2018 09:32:25.199 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza checkdnsext. Invalid cron schedule:

0/5 * * * *

Also, please refer back to my original post. Splunk forums was stripping out a part of my cron schedule.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

It seems to strip out the 6th position in the Cron for a [powershell://test] stanza.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

SplunkTrust
SplunkTrust

Hey, you're right, I missed that part.
I've to admit I don't know why there's a Powershell add-on when Powershell support is already built-in.
The built-in seems to use the 5 positions, so, yeah, yours should work (and also, it seems to work, if not reliable.
You could try setting schedule = 300 to run it every 300 seconds, also the execution time wouldn't be aligned to :5 and :0. Also, you could try to search index=_internal host=yourhost ExecProcessor to see when the ExecProcesor schedules your input and for what time/schedule - maybe you can see any strange behavior in those logs.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

Yeah this is all very confusing, and the documentation you find isn't clear, and contradictory in some spots. I'll give those a shot, I didn't know about that _internal search. Thanks for the responses

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

Do you have any logs in your systems that show ExecProcessor scheduling powershell inputs? I only see logs for the input if the cron is invalid, otherwise it doesn't mention that it has scheduled anything.

0 Karma
Highlighted

Re: PowerShell Modular Input Schedule Parameter

Communicator

And -- just to add -- perhaps I'm just doing something completely wrong. Why else would it be stripping the 6th position from the cron and calling it invalid?

I've created an app in /etc/apps/specialapp with a bin folder, and a local folder.

The bin obviously contains the script. The local folder contains inputs.conf which contains the following:

[powershell://checkdnsext]
script = . "$SplunkHome\etc\apps\specialapp\bin\checkdnsext.ps1"
schedule = 0 0/5 * * * ?
sourcetype = ourcompany:powershell
source = Powershell
index = test
disabled = false

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.