Hi All,
I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:
Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects
Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:
The problem is the following:
for info here the inputs.conf
[powershell://myscriptedinput]
script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0
Do you have any idea why this could happen?
Thanks a lot,
Edoardo
Try to change the schedule
From
schedule = 0 6 * * *
To
schedule = 1800
For your info, I didn't came up with a solution on Powershell that's why we have re-written the script in VBScript and it is working properly.
I will leave the answer open just to see if someone encountering the same issue has been able to solve it.
I have the same problem using Get-ADObject
and Get-ADComputer
. I can't figure it out for the life of me.
In case this helps, official Splunk documentation says that PowerShell scripts must run as system (which is not what we're doing). However, I don't believe system has AD privileges.
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsDatawithPowerShellscripts
Splunk Enterprise must run on Windows.
Splunk Enterprise must run as the Local System user to run all PowerShell scripts.
PowerShell v3.0 or later must be installed on the host.
Microsoft .NET version 4.5 or later must be installed on the host.