I'm running 2 powershell scripts on an Universal Forwarder version 7.0.1 to get all the users and systems from the AD, I want them to run everyday at 12 am. I have the powershell add-on on the universal forwarder.
For some reason the scripts are not running everyday, sometimes it works and sometimes it won't, usually after a restart it runs once and then the next day it's not running again.
Their inputs in inputs.conf are:
[powershell://Active-Directory]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\systems.ps1"
schedule = 0 0 * * *
index = something
[powershell://Users]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\users.ps1"
schedule = 0 0 * * *
index = something2
I can't find anything helpful in the logs or online.
Thanks in advance.
Hi @agentsofshield,
you can directly invoke script like below, and your schedule syntax is wrong.
[powershell://Active-Directory]
script= $SPLUNK_HOME\etc\apps\users.ps1
disabled = false
index = something
interval = 86400
source = something
sourcetype = something
# interval : runs once in day
OR
[powershell://Active-Directory]
script= $SPLUNK_HOME\etc\apps\users.ps1
disabled = false
index = something
schedule = */5 * * * *
source = something
sourcetype = something
#schedule : runs for every 5 mins.
Thanks for the answer, I changed the schedule to schedule = 0 0 * * *
and yesterday it worked fine but today only one script gave me events, do you know why?
as per your cron it runs exactly midnight ( once in a full day). please check if it matches your schedules.
It should run at midnight but it didn't run at all
I have been fighting with this issue for a long time. it doesn't seems possible to run 2 scripts simulations.
I had some success in doing a */5 * * * * on two scripts but still weird stuff happens
when restarting the service the first script always runs. then i waits 5 min and runs the second script and 5 min again for the second script, so its in sequence they run in my case .
You can from the Powershell.ps1 that splunk uses set a debug parameter to get more information. try do an example with */2 * * * * and test for your self it should run both scripts each second minute, but it ends up taking 4 minute as its in sequence
My solution was to only have one cron and one script having multiply function inside. and then use the hardcoded splunk PSobject rows to define index, source, and sourcetype.
When you enable debug try this command to see when you scripts execute
Get-Content -Path 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk-powershell.ps1.log' | Select-String -Pattern 'Executing script' | Out-GridView