Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a Windows process monitoring alert?

sureshkumaar
Path Finder
‎03-31-2022 05:22 AM

I am looking for a Alert query for monitoring the windows process

below is the scenario

1. Lookup having a field name called "host" and "Process"

2. windows index query where the process gets updating in the field called "Name" and we have host field as well by default.

3. Query needs to pick the value from the "host" and "Process" from the lookup and finds the matching in the windows based index query, events should generate in Splunk results

Kindly assist.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

sureshkumaar
Path Finder
‎04-14-2022 05:26 AM

Hi @gcusello 

Please find below 2 results where lookup query still showing count as 0 though the process returning events while running for index query alone

Events related search from index

Index events.PNG

 

process query using lookup that shows count=0

process query data.PNG

0 Karma
Reply

sureshkumaar
Path Finder
‎04-21-2022 02:23 AM

Hi @gcusello - any suggestions as we still not able to crack it

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2022 05:03 AM

Hi @sureshkumaar,

what does it happen if you run only the first three rows (until the first stats)?

in you results, have you "drm-netjnibridge-host.exe" and "drm-service.exe"?

Ciao.

Giuseppe

0 Karma
Reply

sureshkumaar
Path Finder
‎04-25-2022 03:32 AM

Hi @gcusello ,

I am getting zero results when running first 3 lines of the query alone

3 lines of the query.PNG

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-25-2022 07:25 AM

Hi @sureshkumaar,

As I supposed, the problem is in the main search, there are two choices:

  • in the main search (the one you maskered) or in the lookup (or in both) there isn't one or both the fields "host" and "Process" (beware that field names are case sensitive!),
  • there isn't any common pair host/Process between the main search and the lookup;

so there isn't any result to the main search.

So at first run the above search (the first three rows) without the subsearch and see if you have results.

If not, the problem is in the field names and you have to check them.

If yes, see the result pairs and see if there's someone of them in the lookup.

In this case you have to debug this situation before starting the analysis of the missing processes.

Ciao.

Giuseppe

0 Karma
Reply

sureshkumaar
Path Finder
‎04-01-2022 03:32 AM

it should return host and Process results if the values from the lookup isn't coming/occurring as events through index

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-31-2022 05:36 AM

Hi @sureshkumaar,

if the Process name in the lookup is the same of the Process field in events, you could use something like this:

index=your_index NOT [| inputlookup your_lookup.csv | fields host Process ]
| ...

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...