Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Why can't Splunk continuously index data from a powershell input?

yutaka1005
Builder
‎01-09-2019 10:19 PM

Splunk ver : 6.6.6
OS : Linux 7

Universal Forwarder ver : 6.6.6
OS : Windows Server 2016

I configured below inputs.conf and sample.ps1 in the Universal Forwarder and Splunk indexed once, but after that, no more events were indexed.

inputs.conf

[powershell://power_shell_sapmle]
script = . "$SplunkHome\etc\apps\sample_app\bin\sample.ps1"
interval = */1 * * * *
sourcetype = power_shell_sapmle

sample.ps1

$Output = invoke-expression "wmic cpu list brief"
Write-Output $Output

Is my configuration wrong?

Please someone help me.

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Why can't Splunk continuously index data from a powershell input?

deepashri_123
Motivator
‎01-10-2019 12:43 AM

Hey@yutaka1005,

As per the docs, default the script executes only once.
To schedule the script, you can try using parameter 

schedule=<cron>

https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/MonitorWindowsdatawithPowerShellscripts

Let me know if this helps!!

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: Why can't Splunk continuously index data from a powershell input?

yutaka1005
Builder
‎01-10-2019 06:47 PM

Thank you for answer!

I did not check the manual properly ...
It was very helpful.

0 Karma
Reply