https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476459#M8400 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/43640">@sachindarade</a>,<BR /> I think that you already have Splunk Universal Forwarder on these servers, otherwise you have to install it on all.</P> <P>The first step is (if you haven't yet) to download Splunk_TA_Windows ( <A href="https://splunkbase.splunk.com/app/742/" target="_blank">https://splunkbase.splunk.com/app/742/</A> ).<BR /> then you have to edit <STRONG>inputs.conf</STRONG> file changing in <CODE>[WinHostMon://Process]</CODE> room the option <CODE>disabled = 0</CODE><BR /> Then you have to deploy this modified TA to all your servers.<BR /> In this way you should receive a list of active processes on your servers with the frequency you have in <CODE>[WinHostMon://Process]</CODE> room (default 600 seconds).</P> <P>Now you should create a lookup (called e.g. services.csv) containing all the processes of each host (two columns: host Name) that you want to monitor.</P> <P>At least you have to run a search like this:</P> <PRE><CODE>index=windows sourcetype=WinHostMon Type=Process host="BKKLT00067" Name="*" | eval host=lower(host), Name=lower(name) | stats count BY host Name | append [ | inputlookup services.csv | eval host=lower(host), Name=lower(name), count=0 | fields host Name count ] | stats sum(count) As total BY host Name | where total=0 </CODE></PRE> <P>In this way you'll have the list of all services for each host never found.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 30 Sep 2020 04:14:52 GMT gcusello 2020-09-30T04:14:52Z https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476458#M8399 <P>Hi All,</P> <P>I am new to Splunk. I have few windows services in our environment. Sometime those services get hung or stopped automatically.<BR /> I wanted to use Splunk to get notification/alerts whenever service goes down or hung. If somebody can share any steps that would really appreciated.</P> <P>Thanks in Advance!</P> Wed, 19 Feb 2020 15:25:41 GMT https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476458#M8399 sachindarade 2020-02-19T15:25:41Z https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476459#M8400 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/43640">@sachindarade</a>,<BR /> I think that you already have Splunk Universal Forwarder on these servers, otherwise you have to install it on all.</P> <P>The first step is (if you haven't yet) to download Splunk_TA_Windows ( <A href="https://splunkbase.splunk.com/app/742/" target="_blank">https://splunkbase.splunk.com/app/742/</A> ).<BR /> then you have to edit <STRONG>inputs.conf</STRONG> file changing in <CODE>[WinHostMon://Process]</CODE> room the option <CODE>disabled = 0</CODE><BR /> Then you have to deploy this modified TA to all your servers.<BR /> In this way you should receive a list of active processes on your servers with the frequency you have in <CODE>[WinHostMon://Process]</CODE> room (default 600 seconds).</P> <P>Now you should create a lookup (called e.g. services.csv) containing all the processes of each host (two columns: host Name) that you want to monitor.</P> <P>At least you have to run a search like this:</P> <PRE><CODE>index=windows sourcetype=WinHostMon Type=Process host="BKKLT00067" Name="*" | eval host=lower(host), Name=lower(name) | stats count BY host Name | append [ | inputlookup services.csv | eval host=lower(host), Name=lower(name), count=0 | fields host Name count ] | stats sum(count) As total BY host Name | where total=0 </CODE></PRE> <P>In this way you'll have the list of all services for each host never found.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 30 Sep 2020 04:14:52 GMT https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476459#M8400 gcusello 2020-09-30T04:14:52Z https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476460#M8401 <P>Hi,</P> <P>Similarly, i have another requirement.where I have pass log directory to forwarder. Now i want to read the logs and generate the alerts when log file contains "file(s) count is 2" or greater than 1. (condition is : File(s) count is greater than 1)</P> <P>your help would be really appreciated.</P> <P>Thanks in Advance. </P> Mon, 02 Mar 2020 14:07:28 GMT https://community.splunk.com/t5/Alerting/wanted-to-use-Splunk-to-get-notification-alerts-whenever-service/m-p/476460#M8401 sachindarade 2020-03-02T14:07:28Z