Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to schedule search and alert for Windows servi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds
Hello,
I'm hoping someone can help me assemble this search & alert.
We have two indexes:
index_evt is for windows event logs
index_perf contains all performance metrics & windows service information
I want to create a search that
- Searches index_perf (source=WMI:Services) for any service that contains "IBM" in the service name, that is "Stopped" and is also set to "Auto" for startup type within the past 2 hours.
- Searches index_evt (sourcetype="WinEventLog:System") for system uptime is < 86400 seconds.
We're looking for windows services that should be running after reboots of windows servers.
Your help is truly appreciated.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would help to have the field names for these sources, but I will just make up field names...
index=index_evt sourcetype="WinEventLog:System" uptime >=1800 uptime<=86400
| join host max=0 [ search index=index_perf source="WMI:Services" status=Stopped startup=Auto
| where match(service_name, "IBM") ]
Hopefully this is a good starting point...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, run the two searches separately? Do you get results? Do the results have a field named host? Does the host field have the same format, etc. and does it match across the two searches?
Finally, is it possible that 0 results is the right answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iquinn,
Sorry for the late reply.
I have done a search and successful results with the following two searches (separating both searches to verify they each work):
- index=app_evtlogs sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime<=86400
- index=app_perf source="WMI:Services" State=Stopped StartMode=Auto | rex field=_raw "\nName=(?PIBM.{1,})" | top SvcName by host
But when I try to do a join:
index=app_evtlogs sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime<=86400 | join host max=0 [ index=app_perf source="WMI:Services" State=Stopped StartMode=Auto | rex field=_raw "\nName=(?PIBM.{1,})" | top SvcName by host ]
I get:
Unknown search command 'index'.
Any ideas as to what I'm missing or doing wrong?
Am I even able to do a 'join' with each search referencing a different index?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick response lguinn! 🙂
I get 0 results back.
One thing I had to do was:
index=index_evt sourcetype="WinEventLog:System" | rex "The system uptime is (?
But when appending the rest, I get nothing.
Full search:
index=index=evt sourcetype="WinEventLog:System" | rex "The system uptime is (?
Any other ideas?
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
