I'm running 2 powershell scripts on an Universal Forwarder version 7.0.1 to get all the users and systems from the AD, I want them to run everyday at 12 am. I have the powershell add-on on the universal forwarder.
For some reason the scripts are not running everyday, sometimes it works and sometimes it won't, usually after a restart it runs once and then the next day it's not running again.
Their inputs in inputs.conf are:
[powershell://Active-Directory] script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\systems.ps1" schedule = 0 0 * * * index = something [powershell://Users] script = . "C:\Program Files\SplunkUniversalForwarder\etc\apps\\users.ps1" schedule = 0 0 * * * index = something2
I can't find anything helpful in the logs or online.
Thanks in advance.
you can directly invoke script like below, and your schedule syntax is wrong.
[powershell://Active-Directory] script= $SPLUNK_HOME\etc\apps\users.ps1 disabled = false index = something interval = 86400 source = something sourcetype = something # interval : runs once in day
[powershell://Active-Directory] script= $SPLUNK_HOME\etc\apps\users.ps1 disabled = false index = something schedule = */5 * * * * source = something sourcetype = something #schedule : runs for every 5 mins.
Thanks for the answer, I changed the schedule to
schedule = 0 0 * * * and yesterday it worked fine but today only one script gave me events, do you know why?
as per your cron it runs exactly midnight ( once in a full day). please check if it matches your schedules.
It should run at midnight but it didn't run at all
I have been fighting with this issue for a long time. it doesn't seems possible to run 2 scripts simulations.
I had some success in doing a */5 * * * * on two scripts but still weird stuff happens
when restarting the service the first script always runs. then i waits 5 min and runs the second script and 5 min again for the second script, so its in sequence they run in my case .
You can from the Powershell.ps1 that splunk uses set a debug parameter to get more information. try do an example with */2 * * * * and test for your self it should run both scripts each second minute, but it ends up taking 4 minute as its in sequence
My solution was to only have one cron and one script having multiply function inside. and then use the hardcoded splunk PSobject rows to define index, source, and sourcetype.
When you enable debug try this command to see when you scripts execute
Get-Content -Path 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk-powershell.ps1.log' | Select-String -Pattern 'Executing script' | Out-GridView