Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why does the Powershell script output empty values...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does the Powershell script output empty values from second scheduled run?
Hi All,
I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:
Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects
Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:
The problem is the following:
- Once the script is deployed from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
- At the first scheduled attempt (and for the next ones), the script runs but generates an output containing most of all the fields, but the majority of them are empty. The only one with values are: DistinguishedName, GivenName, Name, ObjectGuid, SamAccountName, SID, UserPrincipalName, PropertyCount
- If the script is deployed again from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
for info here the inputs.conf
[powershell://myscriptedinput]
script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0
Do you have any idea why this could happen?
Thanks a lot,
Edoardo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to change the schedule
From
schedule = 0 6 * * *
To
schedule = 1800
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For your info, I didn't came up with a solution on Powershell that's why we have re-written the script in VBScript and it is working properly.
I will leave the answer open just to see if someone encountering the same issue has been able to solve it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem using Get-ADObject and Get-ADComputer. I can't figure it out for the life of me.
In case this helps, official Splunk documentation says that PowerShell scripts must run as system (which is not what we're doing). However, I don't believe system has AD privileges.
https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsDatawithPowerShellscripts
Splunk Enterprise must run on Windows.
Splunk Enterprise must run as the Local System user to run all PowerShell scripts.
PowerShell v3.0 or later must be installed on the host.
Microsoft .NET version 4.5 or later must be installed on the host.
Jacob
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Finding Based Detections General Availability
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives
