Alerting
Highlighted

How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds

Communicator

Hello,

I'm hoping someone can help me assemble this search & alert.

We have two indexes:

indexevt is for windows event logs
index
perf contains all performance metrics & windows service information

I want to create a search that
- Searches indexperf (source=WMI:Services) for any service that contains "IBM" in the service name, that is "Stopped" and is also set to "Auto" for startup type within the past 2 hours.
- Searches index
evt (sourcetype="WinEventLog:System") for system uptime is < 86400 seconds.

We're looking for windows services that should be running after reboots of windows servers.

Your help is truly appreciated.

Thanks.

0 Karma
Highlighted

Re: How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds

Legend

It would help to have the field names for these sources, but I will just make up field names...

index=index_evt sourcetype="WinEventLog:System" uptime >=1800 uptime<=86400
| join host max=0 [ search index=index_perf source="WMI:Services" status=Stopped startup=Auto
                    | where match(service_name, "IBM") ]

Hopefully this is a good starting point...

0 Karma
Highlighted

Re: How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds

Communicator

Thanks for your quick response lguinn! 🙂

I get 0 results back.

One thing I had to do was:
index=index_evt sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime >=0 AND uptime<=86400

But when appending the rest, I get nothing.

Full search:

index=index=evt sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime >=0 AND uptime<=86400 | join host max=0 [ search index=indexperf source="WMI:Services" status=Stopped startup=Auto | where match(servicename, "IBM") ]

Any other ideas?

0 Karma
Highlighted

Re: How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds

Legend

First, run the two searches separately? Do you get results? Do the results have a field named host? Does the host field have the same format, etc. and does it match across the two searches?

Finally, is it possible that 0 results is the right answer?

0 Karma
Highlighted

Re: How to schedule search and alert for Windows services that are "Stopped", set to "Auto" and system uptime is < 86400 seconds

Communicator

Hi Iquinn,

Sorry for the late reply.

I have done a search and successful results with the following two searches (separating both searches to verify they each work):

- index=appevtlogs sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime<=86400
- index=app
perf source="WMI:Services" State=Stopped StartMode=Auto | rex field=_raw "\nName=(?PIBM.{1,})" | top SvcName by host

But when I try to do a join:
index=appevtlogs sourcetype="WinEventLog:System" | rex "The system uptime is (?\d+) seconds." | Where uptime<=86400 | join host max=0 [ index=appperf source="WMI:Services" State=Stopped StartMode=Auto | rex field=_raw "\nName=(?PIBM.{1,})" | top SvcName by host ]

I get:
Unknown search command 'index'.

Any ideas as to what I'm missing or doing wrong?

Am I even able to do a 'join' with each search referencing a different index?

Thanks!

0 Karma