https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680284#M27967 <UL><LI>I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is recorded in splunk.</LI></UL><P>But the service ess is really down, and never entered into running state we need to be alerted.</P><P>I want to write splunk to alert only when the service ess went into stopped state but never entered into running state for 25 hosts. Same service is running on 25 hosts and all servers has network glitches.</P> Mon, 11 Mar 2024 14:55:00 GMT ethammis 2024-03-11T14:55:00Z https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680284#M27967 <UL><LI>I have windows service called "ess". Due to network glitch the service is entering into stopped state and start state. Since the windows event is generating for delivery network glitch an event is recorded in splunk.</LI></UL><P>But the service ess is really down, and never entered into running state we need to be alerted.</P><P>I want to write splunk to alert only when the service ess went into stopped state but never entered into running state for 25 hosts. Same service is running on 25 hosts and all servers has network glitches.</P> Mon, 11 Mar 2024 14:55:00 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680284#M27967 ethammis 2024-03-11T14:55:00Z https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680294#M27968 <P>How long are you prepared to wait for the service to come up again? Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up? Are events generated when the service is up, and how regularly do these events occur? Can there be periods when no events are generated but the service is still to be considered up?</P> Mon, 11 Mar 2024 14:47:33 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680294#M27968 ITWhisperer 2024-03-11T14:47:33Z https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680307#M27969 <P><SPAN>How long are you prepared to wait for the service to come up again?</SPAN></P><P><STRONG>- Within 10min, if service is not coming up then need alert.</STRONG></P><P><STRONG>i.e. an event "The ess service entered into running state" will be logged</STRONG></P><P><SPAN>Are you looking to alert if all the servers don't come back up within a certain time, or if any one of them doesn't come back up?<BR /><STRONG>Any server out of 25, if the service is not running, then need alert</STRONG></SPAN></P><P><SPAN>Are events generated when the service is up, and how regularly do these events occur?</SPAN></P><P><STRONG>As soon the service started an event will be generated, "The ess Service entered into running state"</STRONG></P><P><SPAN>Can there be periods when no events are generated but the service is still to be considered up?</SPAN></P><P><STRONG>No, there will be definitely an event will be generated once the service brought up</STRONG></P> Mon, 11 Mar 2024 16:51:37 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680307#M27969 ethammis 2024-03-11T16:51:37Z https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680315#M27970 <P>Try something below:</P><P>index=&lt;indexname&gt; ("ess service")<BR />|transaction host startswith="The ess service entered the stopped state." endswith="The ess service entered the running state." maxspan=30m<BR />|search NOT &lt;field&gt;="The ess service entered the running state."<BR />|table host</P> Mon, 11 Mar 2024 17:29:45 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-find-stopped-service/m-p/680315#M27970 venkateshparank 2024-03-11T17:29:45Z