https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306344#M19517 <P>thank you wenthold...we have so many devices like IPhones, IPADS, scan guns, printers, MPOS s i am getting real time machine data into my splunk, how would i categorize them as power on/off</P> <PRE><CODE> i have one method in my hand, if any host is not sending logs to splunk i am treating them as off line or power off devices which could be a power issue, network issue, application issue or anything else. now i would like like to take only power off devices only as not off line devices </CODE></PRE> Wed, 28 Mar 2018 21:58:27 GMT mbnaidu 2018-03-28T21:58:27Z https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306342#M19515 <P>Hello,<BR /> I would like to prepare a dashboard which shows status(power on/off) off devices in retails store, we have POS,MPOS devices. My question is on what basis(windows logs) I would assume a device powers off?? Could you please explain what windows logs, event codes are accurate to decide power off? Any help would be appreciated.</P> <P>Thanks in advance</P> Wed, 28 Mar 2018 18:42:22 GMT https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306342#M19515 mbnaidu 2018-03-28T18:42:22Z https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306343#M19516 <P>Look in the System event log for Event ID 13, type 4, sourcename Microsoft-Windows-Kernel-General - or, using the standard Splunk TA for Windows:</P> <PRE><CODE>sourcetype=WinEventLog:System EventCode=13 EventType=4 </CODE></PRE> Wed, 28 Mar 2018 19:37:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306343#M19516 wenthold 2018-03-28T19:37:49Z https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306344#M19517 <P>thank you wenthold...we have so many devices like IPhones, IPADS, scan guns, printers, MPOS s i am getting real time machine data into my splunk, how would i categorize them as power on/off</P> <PRE><CODE> i have one method in my hand, if any host is not sending logs to splunk i am treating them as off line or power off devices which could be a power issue, network issue, application issue or anything else. now i would like like to take only power off devices only as not off line devices </CODE></PRE> Wed, 28 Mar 2018 21:58:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306344#M19517 mbnaidu 2018-03-28T21:58:27Z https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306345#M19518 <P>From a high level, I would do something like this:</P> <UL> <LI>Create a lookup table of assets including the fields isExpected</LI> <LI>Schedule a lookup search to identify when a new host sends data, and add it to the asset lookup table with the isExpected value to 1</LI> <LI>Schedule another search that looks for the poweroff event and sets the isExpected value to 0</LI> </UL> <P>Now you can identify when a host is expected and stops sending data. This is what I'd start with for Windows, I'm not sure what I'd do for the other systems or if it's possible, it depends on what's being logged to Splunk from those devices.</P> Fri, 30 Mar 2018 15:19:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/What-windows-logs-event-codes-are-accurate-to-decide-power-off/m-p/306345#M19518 wenthold 2018-03-30T15:19:08Z