How do I pull service status for Windows in an efficient manner?

fairje — Fri, 12 May 2017 15:20:58 GMT

I know the WinHostMon input can be used to poll the status of all the services on a host, but it also outputs a lot of extra information which adds a lot of bloat to the data stream. Running that at 1 or 5 minute intervals across multiple servers adds a substantial (and unnecessary) hit to your index volume.

The other common input manner is to use WMI to poll for that information, but WMI is notoriously hard hitting on the system, and at a frequent polling interval is likely to just crush the systems you are trying to run it on.

Is there another way to get this information to just return back the service name and it's state without all the extra informaiton and without causing a major hit on CPU load on the servers you are trying to monitor?

e.g.
splunkforwarder,running
Spooler,running
Schedule,stopped

Re: How do I pull service status for Windows in an efficient manner?

fairje — Fri, 12 May 2017 15:24:51 GMT

The below powershell script will use the commandline tool "sc.exe" to output the service name and status, and then format the results with a simple echo output so Splunk can read it as an input.

$output = sc.exe query state= all
$formatted = new-object PSObject
for ($i=0; $i -lt $output.Length; $i++) {
    if ($output[$i] -like "SERVICE_NAME:*") {
        $service = $output[$i] -replace 'SERVICE_NAME: ',''
        $status = $output[$i+3] -replace '        STATE              : ',''
        $status = $status -replace '  ',','
        $newout = $service + "," + $status
        echo $newout
    }
}

Sample results:

smphost,1,STOPPED
SmsRouter,1,STOPPED
smstsmgr,1,STOPPED
SNMPTRAP,1,STOPPED
SplunkForwarder,4,RUNNING
Spooler,4,RUNNING
sppsvc,4,RUNNING

topic Re: How do I pull service status for Windows in an efficient manner? in Getting Data In

How do I pull service status for Windows in an efficient manner?

Re: How do I pull service status for Windows in an efficient manner?