126.96.36.199 Forwarder, with the following schedule specified in the inputs.conf for a PowerShell input: schedule =
*/5 * * * *
This resulted in the following run times in the last 24 hours:
4:15 AM, 4:20 AM, 5:15 AM, 6:15 AM,6:20 Am, 7:15 AM, 8:20 AM.
I have opened a ticket, however I wanted to see if anyone could decipher why that happened with the cron expression I'm using.
I'm surprised that the input is running at all. Common inputs have 5 positions.
Powershell inputs however use the Quartz Syntax, so they have 6 positions:
Check this manual for details:
Edit: If you change your crown format, it should work properly. <- Only true for the Powershell add-on.
There seems to be confusion about what the Powershell inputs require from a schedule perspective. The quartz requirement seems to stem from the old Add-on for Powershell that is out on Splunk base.
http://www.cronmaker.com/ creates quartz based expressions, however if you use those expressions, splunkd.log will report it as invalid. For example, they say to use
0 0/5 * * * ? to trigger every 5 minutes. That results in the error below when restarting the forwarder:
05-05-2018 09:32:25.199 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" splunk-powershell - Powershell::InitPowershell: Stanza checkdnsext. Invalid cron schedule:
0/5 * * * *
Also, please refer back to my original post. Splunk forums was stripping out a part of my cron schedule.
Hey, you're right, I missed that part.
I've to admit I don't know why there's a Powershell add-on when Powershell support is already built-in.
The built-in seems to use the 5 positions, so, yeah, yours should work (and also, it seems to work, if not reliable.
You could try setting
schedule = 300 to run it every 300 seconds, also the execution time wouldn't be aligned to :5 and :0. Also, you could try to search
index=_internal host=yourhost ExecProcessor to see when the ExecProcesor schedules your input and for what time/schedule - maybe you can see any strange behavior in those logs.
Yeah this is all very confusing, and the documentation you find isn't clear, and contradictory in some spots. I'll give those a shot, I didn't know about that _internal search. Thanks for the responses
Do you have any logs in your systems that show ExecProcessor scheduling powershell inputs? I only see logs for the input if the cron is invalid, otherwise it doesn't mention that it has scheduled anything.
And -- just to add -- perhaps I'm just doing something completely wrong. Why else would it be stripping the 6th position from the cron and calling it invalid?
I've created an app in /etc/apps/specialapp with a bin folder, and a local folder.
The bin obviously contains the script. The local folder contains inputs.conf which contains the following:
script = . "$SplunkHome\etc\apps\specialapp\bin\checkdnsext.ps1"
schedule = 0 0/5 * * * ?
sourcetype = ourcompany:powershell
source = Powershell
index = test
disabled = false