Getting Data In

Why does the Powershell script output empty values from second scheduled run?

edoardo_vicendo
Builder

Hi All,

I have a strange behavior with a scheduled Powershell script.
The .ps1 script simply execute in a Try Catch statement:

Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate, AccountExpires, @{L = "AuthenticationPolicy; E = {$_.AuthenticationPolicy -join";"}} etc.. for all the requested objects

Note: The Hash Table is needed to avoid having System.Object[] for some fields, as described at the following link:

https://community.spiceworks.com/topic/2144503-how-to-get-everything-and-i-mean-everything-about-you...

The problem is the following:

  1. Once the script is deployed from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields
  2. At the first scheduled attempt (and for the next ones), the script runs but generates an output containing most of all the fields, but the majority of them are empty. The only one with values are: DistinguishedName, GivenName, Name, ObjectGuid, SamAccountName, SID, UserPrincipalName, PropertyCount
  3. If the script is deployed again from the Deployment server to the Splunk universal forwarder, it runs and correctly generates the output without empty fields

for info here the inputs.conf

[powershell://myscriptedinput]
script = . "$SplunkHome\etc\apps\myapp\bin\myscript.ps1"
index = myindex
sourcetype = mysourcetype
schedule = 0 6 * * *
disabled = 0

Do you have any idea why this could happen?

Thanks a lot,
Edoardo

Labels (3)

WorapongJ
Loves-to-Learn Lots

Try to change the schedule 

From 

schedule = 0 6 * * *

To 

schedule = 1800

 

0 Karma

edoardo_vicendo
Builder

For your info, I didn't came up with a solution on Powershell that's why we have re-written the script in VBScript and it is working properly.
I will leave the answer open just to see if someone encountering the same issue has been able to solve it.

0 Karma

jacobpevans
Motivator

I have the same problem using Get-ADObject and Get-ADComputer. I can't figure it out for the life of me.

In case this helps, official Splunk documentation says that PowerShell scripts must run as system (which is not what we're doing). However, I don't believe system has AD privileges.

https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsDatawithPowerShellscripts

Splunk Enterprise must run on Windows.
Splunk Enterprise must run as the Local System user to run all PowerShell scripts.
PowerShell v3.0 or later must be installed on the host.
Microsoft .NET version 4.5 or later must be installed on the host.
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...