Getting Data In

Why does the Powershell script output empty values from second scheduled run?


Hi All,

I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:

Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects

Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:

The problem is the following:

  1. Once the script is deployed from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
  2. At the first scheduled attempt (and for the next ones), the script runs but generates an output containing most of all the fields, but the majority of them are empty. The only one with values are: DistinguishedName, GivenName, Name, ObjectGuid, SamAccountName, SID, UserPrincipalName, PropertyCount
  3. If the script is deployed again from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields

for info here the inputs.conf

script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0

Do you have any idea why this could happen?

Thanks a lot,

Labels (3)


Try to change the schedule 


schedule = 0 6 * * *


schedule = 1800


0 Karma


For your info, I didn't came up with a solution on Powershell that's why we have re-written the script in VBScript and it is working properly.
I will leave the answer open just to see if someone encountering the same issue has been able to solve it.

0 Karma


I have the same problem using Get-ADObject and Get-ADComputer. I can't figure it out for the life of me.

In case this helps, official Splunk documentation says that PowerShell scripts must run as system (which is not what we're doing). However, I don't believe system has AD privileges.

Splunk Enterprise must run on Windows.
Splunk Enterprise must run as the Local System user to run all PowerShell scripts.
PowerShell v3.0 or later must be installed on the host.
Microsoft .NET version 4.5 or later must be installed on the host.

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...