I was referring to C:\Windows\Minidump

Mini dump event should be in system event log.

Splunk should not be used to read the minidump though. Instead you need a process that’s enforced by active directory, or other policies. The process should detect the bsod occurred using the wineventlog and then upload the minidump to a server that can then debug the dump and post those results into a file that splunk would then ingest.

You need an entire architecture around this process but using helge’s answer + learning windbg or kd + building something custom for yourself.

http://www.bentleypc.com/blogs/atlanta-computer-repair/windbg-kd-and-reading-minidumps/

Thanks Helge.. I am aware of other details of troubleshooting.. Just wanted to check if via Splunk, we enable C:\Windows\minidump file being monitored, we can then use the Windows Tool to debug further...

Currently I dont see this configured .. So wanted to check if there is way to configure this like a on-demand metrics as BSOD does not occur on all always.. Whenever it occurs, Splunk should be able to capture relevant date/time of the event along with minidump file.

Please Advise.

Small memory dumps, typically placed in the C:\Windows\Minidump directory, are written if the system is configured to do so in the "Startup and Recovery" dialog. They provide an alternative to kernel or complete memory dumps which are typically stored in C:\Windows\memory.dmp.
There are some tools available to analyze small memory dumps: NirSoft BlueScreenView (http://www.nirsoft.net/utils/blue_screen_view.html) and Microsoft's DumpChk (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dumpchk). You might be able to automate the analysis of small memory dumps with the help of these tools and a script executed through Universal Forwarder or uberAgent.

Hi Helge,

How does Uber report on BSOD from a PC. Is it from any event viewer, if so, which ath within Event Viewer?

If nt Event Viewer, how des Uber record BSOD occurences on any PC.
I am interested t know the path on the PC it picks data from.

Regards
Sandeep Shah

uberAgent collects BSOD information from the event ID 41 in the system event log.

Which means everytime Event Code 41 occurs, it is considered as BSOD occurence?

There is another Surce by Name BugCheck, Is this info not taken up by UberAgent?

We need some discussion on this topic if you can help me arrange a call as we are seeing the data generated for example: for the month of Aug, Sep and Oct on Nov 7th and for the same months (Aug, Sep and Oct ) on Dec 19th, numbers are varying . Idealy it should be same. So we need guidance on how t troubeshoot this further.

I am from PwC Account.
It would be great if you r someone from your team can have a call with us, invite to sandeep.d.shah@pwc.com for discussing on this. please

Please contact us at our support email address to arrange a call.

Ok Thanks.