topic Re: How to edit my search to find events that did not occur right before a machine restart? in Splunk Search

How to edit my search to find events that did not occur right before a machine restart?

jpolcari — Fri, 17 Feb 2017 14:13:18 GMT

I'd like to look for events of a Windows service stopping but ONLY if it did not occur while the machine was being rebooted. So far I have:

index=wineventlog  sourcetype=wineventlog:system (EventCode=7036 "Service Name" stopped) OR EventCode=6009
| transaction ComputerName startswith="EventCode=7036" endswith="EventCode=6009" maxspan=10m

EventCode 7036 is the service stopping while an EventCode 6009 occurs when the machine has just rebooted. This currently shows all the stops WITH a restart but I would like to find event 7036 when there was not a 6009 within about 10 minutes.

Re: How to edit my search to find events that did not occur right before a machine restart?

somesoni2 — Fri, 17 Feb 2017 14:24:20 GMT

Try this

index=wineventlog  sourcetype=wineventlog:system (EventCode=7036 "Service Name" stopped) OR EventCode=6009
| transaction ComputerName startswith="EventCode=7036" endswith="EventCode=6009" maxspan=10m keeporphan=t
| where duration>600 OR (mvcount(EventCode)=1 AND EventCode="7036")

Re: How to edit my search to find events that did not occur right before a machine restart?

nickhills — Fri, 17 Feb 2017 14:25:01 GMT

try

 index=wineventlog  sourcetype=wineventlog:system (EventCode=7036 "Service Name" stopped) OR EventCode=6009 | transaction ComputerName startswith="EventCode=7036" endswith="EventCode=6009" maxspan=10m keeporphans=true|search _txn_orphan=1

Re: How to edit my search to find events that did not occur right before a machine restart?

jpolcari — Fri, 17 Feb 2017 14:31:24 GMT

Thanks very much! This looks like it works perfectly. Didn't realize you could keep the other results with keeporphans.