Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert when a Windows Service stops

Razzi
New Member
‎04-26-2024 06:59 AM

I am fairly new to the Splunk platform/ community; I am in learning mode 😞 and I hope to get some help here. How do I set up/configure an alert on a set of Windows Servers to notify me when a particular set of services stops? For example, I have three services that start with the naming of TDB, how can I configure Splunk to alert if any of those services stop on a particular server name. Thanks much.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-25-2024 04:03 AM

One important thing - Splunk is not a "monitoring tool". So it will not tell you about the state of the service (unless you have a specific input listing states of services periodically but as far as I know there is no such input by default). You will only be able to see an event saying that the service has stopped or crashed or whatever if such event is logged (and if you're ingesting such events).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-26-2024 07:09 AM

Hi @Razzi,

you should define the fields that you can use to identify the fields to use:

  • host (it's the host present in each log),
  • process.

Then you should create a lookup (called e.g. perimeter.csv) containing the hosts to monitor (supponing that the three services to monitor must be active in all the servers).

Then you should run a search like the following:

index=<your_index> process IN (TBD1, TBD2, TBD3)
| stats 
    dc(process) AS process_count 
    values(process) AS process 
    count 
    BY host
| append [ 
    | inputlookup perimeter.csv 
    | eval count=0
    | fields host count
    ]
| stats 
    dc(process) AS process_count 
    values(process) AS process 
    sum(count) AS total
    BY host
| where total=0 OR process_count<3
| eval status=if(total=0, "missed host", "missed process")
| table host status process
| rename process AS "present processes"

Ciao.

Giuseppe

0 Karma
Reply

Teddiz
New Member
‎09-25-2024 01:43 AM

can you explain me where I put the perimeter.csv and can you show me a little example how this file looks like?

thx

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 05:38 AM

hi @Teddiz ,

perimeter.csv is a csv file containing only one column (host) and the list of the hostname to monitor:

host
my_host1
my_host2
my_host3
my_host4

Ciao.

Giuseppe

0 Karma
Reply

Teddiz
New Member
‎10-21-2024 03:00 AM

Thx Giuseppe!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2024 11:43 AM

Hi @Teddiz ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...