https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/702362#M16216 <P>Thx&nbsp;<SPAN>Giuseppe!</SPAN></P> Mon, 21 Oct 2024 10:00:08 GMT Teddiz 2024-10-21T10:00:08Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/685626#M15957 <P>I am fairly new to the Splunk platform/ community; I am in learning mode <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> and I hope to get some help here. How do I set up/configure an alert on a set of Windows Servers to notify me when a particular set of services stops? For example, I have three services that start with the naming of TDB, how can I configure Splunk to alert if any of those services stop on a particular server name. Thanks much.</P> Fri, 26 Apr 2024 13:59:42 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/685626#M15957 Razzi 2024-04-26T13:59:42Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/685627#M15958 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267341">@Razzi</a>,</P><P>you should define the fields that you can use to&nbsp;identify the fields to use:</P><UL><LI>host (it's the host present in each log),</LI><LI>process.</LI></UL><P>Then you should create a lookup (called e.g. perimeter.csv) containing the hosts to monitor (supponing that the three services to monitor must be active in all the servers).</P><P>Then you should run a search like the following:</P><LI-CODE lang="markup">index=&lt;your_index&gt; process IN (TBD1, TBD2, TBD3) | stats dc(process) AS process_count values(process) AS process count BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats dc(process) AS process_count values(process) AS process sum(count) AS total BY host | where total=0 OR process_count&lt;3 | eval status=if(total=0, "missed host", "missed process") | table host status process | rename process AS "present processes"</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 26 Apr 2024 14:09:51 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/685627#M15958 gcusello 2024-04-26T14:09:51Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700070#M16201 <P>can you explain me where I put the perimeter.csv and can you show me a little example how this file looks like?</P><P>thx</P> Wed, 25 Sep 2024 08:43:46 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700070#M16201 Teddiz 2024-09-25T08:43:46Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700081#M16202 <P>One important thing - Splunk is not a "monitoring tool". So it will not tell you about the state of the service (unless you have a specific input listing states of services periodically but as far as I know there is no such input by default). You will only be able to see an event saying that the service has stopped or crashed or whatever if such event is logged (and if you're ingesting such events).</P> Wed, 25 Sep 2024 11:03:35 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700081#M16202 PickleRick 2024-09-25T11:03:35Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700088#M16203 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272529">@Teddiz</a>&nbsp;,</P><P>perimeter.csv is a csv file containing only one column (host) and the list of the hostname to monitor:</P><LI-CODE lang="markup">host my_host1 my_host2 my_host3 my_host4</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Sep 2024 12:38:46 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/700088#M16203 gcusello 2024-09-25T12:38:46Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/702362#M16216 <P>Thx&nbsp;<SPAN>Giuseppe!</SPAN></P> Mon, 21 Oct 2024 10:00:08 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/702362#M16216 Teddiz 2024-10-21T10:00:08Z https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/702412#M16218 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272529">@Teddiz</a>&nbsp;,</P><P>good for you, see next time!</P><P>let us know if we can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 21 Oct 2024 18:43:23 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Windows-Service-stops/m-p/702412#M16218 gcusello 2024-10-21T18:43:23Z