- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi community! I've tried and exhausted all my brain cells but I still couldn't make this work. Any ideas?
Below is deployed into a Windows 11 machine, running UF 9.1.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to reddit user u/chadbaldwin who pointed out that the fault was in using `Write-Host` rather than `Write-Output`; whereas `Write-Host` isn't something Splunk is able to capture.
Replaced the script to use `Write-Output` and it's now working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to reddit user u/chadbaldwin who pointed out that the fault was in using `Write-Host` rather than `Write-Output`; whereas `Write-Host` isn't something Splunk is able to capture.
Replaced the script to use `Write-Output` and it's now working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You've never scripted on unices, have you? 😉
But seriously - that's kinda obvious. I'd say Write-Output is like writing to stdout whereas Write-Host is more like writing to stderr (yes, I know that this analogy is not 100% correct).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have very little experience with scripting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You specified "schedule" setting instead of "interval".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In inputs.conf - Splunk Documentation, it says
[powershell://<name>] schedule = [<positive integer>|<cron schedule>] * How often to run the specified PowerShell command or script. * You can specify a number in seconds, or provide a valid cron schedule. * Default: Runs the command or script once, at startup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, you're right. I was checking the "script" input and it has the "interval" parameter whereas powershell indeed has "schedule".
How do you know it's not running (and not just running and producing any results for example)?
What does splunk list inputstatus say?
My definition looks almost identical and works. From what I see you avoided the common pitfall of $SplunkHome so the path is good.
[powershell://script-checker]
script= . "$SplunkHome\etc\apps\cert_checker\bin\scripts\Splunk-cert-checker.ps1"
schedule = 86400
index=internal_auxiliary
sourcetype=kv:cert-checker
event_serialization_format=kv
disabled=0
