I have the SA-ModularInput-PowerShell app deployed to some Windows universal forwarders.
When the forward re-installs an updated version of SA-ModularInput-PowerShell, it fails because PowerShell.exe is still running and therefore has a file lock on the subfolder SA-ModularInput-PowerShell/windows_x86_64 .
splunkd.log shows: 02-06-2014 17:48:15.337 -0500 WARN DeployedApplication - Failed to create file D:\App\SplunkUniversalForwarder\etc\apps\SA-ModularInput-PowerShell\windows_x86_64\bin\PowerShell.exe while untarring D:\App\SplunkUniversalForwarder\var\run\win_hosts\SA-ModularInput-PowerShell-1391725349.bundle: The process cannot access the file because it is being used by another process.
Once I kill the PowerShell.exe process, the forwarder is able to proceed with re-installing the SA-ModularInput-PowerShell app.
PowerShell.exe is running as User Name splunk_user in the Task Manager.
Any idea why PowerShell.exe continues to run after the scripted modular input completes? Did I set this up wrong?
Here's the input that uses the SA-ModularInput-PowerShell app.
[powershell://Win32_Product]
script = Get-WmiObject -Class Win32_Product -ComputerName . | Select-Object Name,Vendor,Version,Caption,InstallDate
schedule = 0 9 * ? * *
sourcetype = software_inventory_win
index = inventory
... View more