topic Re: How to check the status and start mode of these services? in Splunk Search

How to check the status and start mode of these services?

jip31 — Thu, 22 Mar 2018 12:52:42 GMT

Hello all
I want to check the status and the start mode of the 2 services below and I wrote this code.
Does it seem to be ok?

[WinHostMon://service]
type = service
interval = 3600
index = winsvc
disabled = 1
Name = "CcmExec" OR "RCAgentMgr" OR "WMI"
Status = "Arrêté"
Start mode = "Manuel" OR "Désactivé"

Thanks

Re: How to check the status and start mode of these services?

logloganathan — Thu, 22 Mar 2018 14:58:04 GMT

Please write splunk query like this

index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"

then select the time range as 60 minutes

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:39:30 GMT

Thanks very much lolloganathan!
i have 2 others questions
1) now i have modified inputs.conf which SPL command i have to write for checking if the service is up or down?
2) i wrote the code below for monitoring a file in splunk
Does it seems to be ok?
Same question : which SPL command i have to write for checking the log from SPLUNK?
Sorry i am rouky

[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0
_TCP_ROUTING = pnlogGroup

thanks

Re: How to check the status and start mode of these services?

logloganathan — Tue, 29 Sep 2020 18:38:29 GMT

disabled = 1 AND followTail = 0 AND _TCP_ROUTING = "pnlogGroup"

then select the time range as 2 minute

Re: How to check the status and start mode of these services?

jip31 — Fri, 23 Mar 2018 10:43:53 GMT

Thanks but you dont have responded to all my questions 😉

Re: How to check the status and start mode of these services?

logloganathan — Fri, 23 Mar 2018 10:49:22 GMT

i have responded to your previous questions.
please ask if i missed anything

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:39:41 GMT

Yes you have missed this logloganathan
1) which SPL command i have to write for checking if the service is up or down? (see code below)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"

2) which SPL command i have to write for checking a filethe service is up or down? (see code below)
[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0 AND _TCP_ROUTING = pnlogGroup

THANKS

Re: How to check the status and start mode of these services?

jip31 — Mon, 26 Mar 2018 05:58:39 GMT

hello all, nobody for helping me please??

Re: How to check the status and start mode of these services?

logloganathan — Tue, 29 Sep 2020 18:40:55 GMT

1)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Start mode = "Manuel" OR Start mode = "Désactivé" | table Status

if status is active then service is up else vice versa

2)
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled
time range 120 minute
based on disabled value you can consider whether its up or down

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:41:37 GMT

Nathan

1) OK for this answer
2) I dont understand
i use the code below because i want to find the word "error" in C:\Tools\Flags
but i dont know why you put : | table disabled???? disabled = 0 ou 1....
so where i put the word "error" in my SPL command???

[monitor://C:\Tools\Flags]
interval = 120

How often, in seconds, to poll for new data

whitelist = .log$

If set, Splunk Enterprise only monitors files whose names match the specified regular expression

disabled = 1

Whether or not to gather the performance data defined in this input

followTail = 0 AND _TCP_ROUTING = pnlogGroup

If set to 1, monitoring begins at the end of the file

Specifies a comma-separated list of tcpout group names Define the tcpout group names in outputs.conf

Re: How to check the status and start mode of these services?

logloganathan — Tue, 29 Sep 2020 18:41:43 GMT

if you want to add "error"
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1
time range 120 minute
Please refer the document which will help you for outputs.conf

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Outputsconf

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:41:48 GMT

so the entire SPL command is just this? :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:41:51 GMT

so the entire SPL command is :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute ???
or does it miss some informations??

Re: How to check the status and start mode of these services?

logloganathan — Mon, 26 Mar 2018 16:52:58 GMT

You have to add the index in the query..

Re: How to check the status and start mode of these services?

logloganathan — Mon, 26 Mar 2018 16:58:30 GMT

Index = winsvc
Please refer previous example

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:41:57 GMT

so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled time range 120 minute??

Re: How to check the status and start mode of these services?

jip31 — Tue, 29 Sep 2020 18:42:02 GMT

sorry i have forgotten "error"

so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup"| "error" | table disabled time range 120 minute??

Re: How to check the status and start mode of these services?

logloganathan — Tue, 29 Sep 2020 18:42:05 GMT

Index = main followTail=0 _TCP_ROUTING="pnlogGroup" "error" | table disabled

Then select time range 120 minutes

Re: How to check the status and start mode of these services?

jip31 — Mon, 26 Mar 2018 17:53:15 GMT

oh thanks!
sorry i a m rouky and i didnt male any elearning so it s difficut for me
i have a last question
when we wrire an spl command how do we do to know the exact name of a field in the index
we are obliged to display fils like this :
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
thanks again

Re: How to check the status and start mode of these services?

logloganathan — Tue, 27 Mar 2018 09:16:37 GMT

index=_internal | fieldsummary

here you can see all the field summary. Please refer this document for more help
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary