Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a Windows process monitoring alert?

sureshkumaar
Path Finder
‎03-31-2022 05:22 AM

I am looking for a Alert query for monitoring the windows process

below is the scenario

1. Lookup having a field name called "host" and "Process"

2. windows index query where the process gets updating in the field called "Name" and we have host field as well by default.

3. Query needs to pick the value from the "host" and "Process" from the lookup and finds the matching in the windows based index query, events should generate in Splunk results

Kindly assist.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

sureshkumaar
Path Finder
‎04-14-2022 05:26 AM

Hi @gcusello 

Please find below 2 results where lookup query still showing count as 0 though the process returning events while running for index query alone

Events related search from index

Index events.PNG

 

process query using lookup that shows count=0

process query data.PNG

0 Karma
Reply

sureshkumaar
Path Finder
‎04-21-2022 02:23 AM

Hi @gcusello - any suggestions as we still not able to crack it

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2022 05:03 AM

Hi @sureshkumaar,

what does it happen if you run only the first three rows (until the first stats)?

in you results, have you "drm-netjnibridge-host.exe" and "drm-service.exe"?

Ciao.

Giuseppe

0 Karma
Reply

sureshkumaar
Path Finder
‎04-25-2022 03:32 AM

Hi @gcusello ,

I am getting zero results when running first 3 lines of the query alone

3 lines of the query.PNG

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 07:25 AM

Hi @sureshkumaar,

As I supposed, the problem is in the main search, there are two choices:

  • in the main search (the one you maskered) or in the lookup (or in both) there isn't one or both the fields "host" and "Process" (beware that field names are case sensitive!),
  • there isn't any common pair host/Process between the main search and the lookup;

so there isn't any result to the main search.

So at first run the above search (the first three rows) without the subsearch and see if you have results.

If not, the problem is in the field names and you have to check them.

If yes, see the result pairs and see if there's someone of them in the lookup.

In this case you have to debug this situation before starting the analysis of the missing processes.

Ciao.

Giuseppe

0 Karma
Reply

sureshkumaar
Path Finder
‎04-01-2022 03:32 AM

it should return host and Process results if the values from the lookup isn't coming/occurring as events through index

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 05:36 AM

Hi @sureshkumaar,

if the Process name in the lookup is the same of the Process field in events, you could use something like this:

index=your_index NOT [| inputlookup your_lookup.csv | fields host Process ]
| ...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...