Getting Data In

Powershell and crontab with universal forwarder not working as expected

Danny_Nilsson
Loves-to-Learn

I have done some really basic testing as i want to prove that this is not working correctly. I have added 3 scripts into a clean input.conf

[powershell://Powershell01]
script = 'Filetest01' | out-file "c:\temp\filetest01 $(get-date -f "yyyy-MM-dd HH.mm").txt"
schedule = */5 * * * *
Index = Sandbox
Source = Powershell-test01
Sourcetype = Powershellscript

[powershell://Powershell02]
script = 'Filetest02' | out-file "c:\temp\filetest02 $(get-date -f "yyyy-MM-dd HH.mm").txt"
schedule = */5 * * * *
Index = Sandbox
Source = Powershell-test02
Sourcetype = Powershellscript

[powershell://Powershell03]
script = 'Filetest03' | out-file "c:\temp\filetest03 $(get-date -f "yyyy-MM-dd HH.mm").txt"
schedule = */5 * * * *
Index = Sandbox
Source = Powershell-test03
Sourcetype = Powershellscript

The log is reporting this when starting the service

06-26-2020 10:06:07.1442893+2 INFO Exiting powershell host script.
06-26-2020 10:06:22.8073774+2 INFO start splunk-powerhsell.ps1
06-26-2020 10:06:24.2149136+2 INFO launched disposer

this is the result

1. Filetest01 starts to run as the first job when the service is restart, but non of the other
2. File should not start 1 sec behind schedule
3. Some scripts will execute 2 times
4. Filetest2 was skipped once. it goes from 10 > 20 where it was expected to be each 5 min


Name LastWriteTime
---- -------------
filetest01 2020-06-26 10.06.txt 26-06-2020 10:06:24
filetest01 2020-06-26 10.14.txt 26-06-2020 10:14:59
filetest01 2020-06-26 10.19.txt 26-06-2020 10:19:59
filetest01 2020-06-26 10.20.txt 26-06-2020 10:20:00
filetest01 2020-06-26 10.29.txt 26-06-2020 10:29:59
filetest01 2020-06-26 10.34.txt 26-06-2020 10:34:59
filetest01 2020-06-26 10.35.txt 26-06-2020 10:35:00
filetest01 2020-06-26 10.44.txt 26-06-2020 10:44:59
filetest01 2020-06-26 10.49.txt 26-06-2020 10:49:59
filetest01 2020-06-26 10.50.txt 26-06-2020 10:50:00
filetest02 2020-06-26 10.09.txt 26-06-2020 10:09:59
filetest02 2020-06-26 10.10.txt 26-06-2020 10:10:00
filetest02 2020-06-26 10.19.txt 26-06-2020 10:19:59
filetest02 2020-06-26 10.24.txt 26-06-2020 10:24:59
filetest02 2020-06-26 10.25.txt 26-06-2020 10:25:00
filetest02 2020-06-26 10.34.txt 26-06-2020 10:34:59
filetest02 2020-06-26 10.39.txt 26-06-2020 10:39:59
filetest02 2020-06-26 10.40.txt 26-06-2020 10:40:00
filetest02 2020-06-26 10.49.txt 26-06-2020 10:49:59
filetest03 2020-06-26 10.09.txt 26-06-2020 10:09:59
filetest03 2020-06-26 10.14.txt 26-06-2020 10:14:59
filetest03 2020-06-26 10.15.txt 26-06-2020 10:15:00
filetest03 2020-06-26 10.24.txt 26-06-2020 10:24:59
filetest03 2020-06-26 10.29.txt 26-06-2020 10:29:59
filetest03 2020-06-26 10.30.txt 26-06-2020 10:30:00
filetest03 2020-06-26 10.39.txt 26-06-2020 10:39:59
filetest03 2020-06-26 10.44.txt 26-06-2020 10:44:59
filetest03 2020-06-26 10.45.txt 26-06-2020 10:45:00

UniversalForwarder Version 7.0.2.0

Upgraded to Version 8.0.4.0

After upgrade it looks good

Name LastWriteTime
---- -------------
filetest01 2020-06-26 10.57.txt 26-06-2020 10:57:12
filetest01 2020-06-26 11.00.txt 26-06-2020 11:00:00
filetest01 2020-06-26 11.05.txt 26-06-2020 11:05:00
filetest02 2020-06-26 10.57.txt 26-06-2020 10:57:12
filetest02 2020-06-26 11.00.txt 26-06-2020 11:00:00
filetest02 2020-06-26 11.05.txt 26-06-2020 11:05:00
filetest03 2020-06-26 10.57.txt 26-06-2020 10:57:12
filetest03 2020-06-26 11.00.txt 26-06-2020 11:00:00
filetest03 2020-06-26 11.05.txt 26-06-2020 11:05:00

At last i found out this was a problem in the splunk version that was fixed later.

Is it possible to not have Splunk run all scripts when starting the service. as i don't think it support Cron 0/5 * * * *

 

 

Labels (3)
Tags (2)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!