topic Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server? in Splunk Search

How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

afraanajam — Tue, 08 Mar 2022 17:55:30 GMT

How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

ricotries — Tue, 08 Mar 2022 23:00:25 GMT

What you are asking depends on the operating system of the host you are asking for. Windows devices will log the information you are asking for differently than a *nix device.

If you are looking for the current uptime of a Splunk process (say Splunk Enterprise), you can run the following search:

index=_internal host=<hostname> "My hostname is" | eval uptime_hours = round((now() - _time) / (60 * 60), 1) | table uptime_hours

$SPLUNK_HOME/var/log/splunk/splunkd.log writes the message "My hostname is "<hostname>"" when an instance of Splunk is first started, so we can use this timestamp to determine the current uptime if a Splunk instance.

To answer the rest of your question we need more information.

Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

afraanajam — Wed, 09 Mar 2022 06:05:58 GMT

This is Windows boxes..What would be search for finding last reboot of server using event logs..and the date / time / user who last reboot the server?

Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

ricotries — Wed, 09 Mar 2022 16:24:16 GMT

The Event ID you are looking for is 1074. The syntax for this Event ID is (where %% are variables):

The process %% has initiated the %% of computer %% on behalf of user %% for the following reason: %% Reason Code: %% Shutdown Type: %% Comment: %%

Since we don't know if field extraction is set up and the custom field names in your environment, we'll do a rex command (we'll assume the EventID is stored in the field EventCode at a minimum):

sourcetype="WinEventLog:*" EventCode=1074 | rex field=_raw "The process [^ ]+ has initiated the restart of computer (?<computer>[^ ]+) on behalf of user (?<calling_user>[^ ]+) for the following reason: (?<poweroff_reason>.*)" | head 1 | table _time computer calling_user poweroff_reason

If field extraction is being done, remove the rex command and simply replace the field names in the table command.

Reference:

https://kb.eventtracker.com/evtpass/evtpages/EventId_1074_User32_46330.asp

https://shellgeek.com/event-id-1074-system-restart-or-shutdown/

Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

ricotries — Thu, 10 Mar 2022 17:33:08 GMT

Any updates? If this works accept the answer to close the question.

Re: How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

afraanajam — Mon, 14 Mar 2022 01:27:33 GMT

Thank you above search worked but its not giving calling_user and Poweroff_reason details..Is anything need to modify in search..Pls advice..