Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Powershell script not running on schedule

agentsofshield
Path Finder
‎07-22-2018 12:46 AM

I'm running 2 powershell scripts on an Universal Forwarder version 7.0.1 to get all the users and systems from the AD, I want them to run everyday at 12 am. I have the powershell add-on on the universal forwarder.
For some reason the scripts are not running everyday, sometimes it works and sometimes it won't, usually after a restart it runs once and then the next day it's not running again.

Their inputs in inputs.conf are:

[powershell://Active-Directory]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\systems.ps1"
schedule = 0 0 * * *
index = something

[powershell://Users]
script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\users.ps1"
schedule = 0 0 * * *
index = something2

I can't find anything helpful in the logs or online.
Thanks in advance.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-22-2018 03:17 AM

Hi @agentsofshield,

you can directly invoke script like below, and your schedule syntax is wrong.

[powershell://Active-Directory]
script= $SPLUNK_HOME\etc\apps\users.ps1
disabled = false
index = something
interval = 86400 
source = something
sourcetype = something
# interval : runs once in day

OR 

[powershell://Active-Directory]
 script= $SPLUNK_HOME\etc\apps\users.ps1
 disabled = false
 index = something
 schedule = */5 * * * *
 source = something
 sourcetype = something
 #schedule : runs for every 5 mins.
————————————
If this helps, give a like below.
0 Karma
Reply

agentsofshield
Path Finder
‎07-24-2018 11:54 PM

Thanks for the answer, I changed the schedule to schedule = 0 0 * * * and yesterday it worked fine but today only one script gave me events, do you know why?

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎07-24-2018 11:58 PM

as per your cron it runs exactly midnight ( once in a full day). please check if it matches your schedules.

————————————
If this helps, give a like below.
0 Karma
Reply

agentsofshield
Path Finder
‎07-25-2018 03:09 AM

It should run at midnight but it didn't run at all

0 Karma
Reply

Danny_Nilsson
Explorer
‎06-25-2020 02:34 AM

I have been fighting with this issue for a long time. it doesn't seems possible to run 2 scripts simulations.

I had some success in doing a */5 * * * * on two scripts but still weird stuff happens

when restarting the service the first script always runs. then i waits 5 min and runs the second script and 5 min again for the second script, so its in sequence they run in my case .

You can from the Powershell.ps1 that splunk uses set a debug parameter to get more information.  try do an example with */2 * * * * and test for your self it should run both scripts each second minute, but it ends up taking 4 minute as its in sequence

My solution was to only have one cron and one script having multiply function inside. and then use the hardcoded splunk PSobject rows to define index, source, and sourcetype.

When you enable debug try this command to see when you scripts execute

Get-Content -Path 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk-powershell.ps1.log' | Select-String -Pattern 'Executing script' | Out-GridView

 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...