Hi fellow Splunkers,

Sorry I dont have enough karma points to post a link. I followed a Splunk blog post about monitoring windows service by Jason Conger.
TIPS & TRICKS
Monitoring Windows Service State History

I used wmi.conf to monitor my services on my servers.

In this snippet below for server1 the results turn out great I have a full service state history of the server1 for past 1day

index=windows sourcetype="WMI:Services" host=server1 earliest=-1d@d latest=now |
    streamstats current=false last(State) AS new_state last(_time) AS time_of_change BY DisplayName |
    where State != new_state |
    convert ctime(time_of_change) AS time_of_change |
    rename State AS old_state |
    table time_of_change host DisplayName old_state new_state

In this snippet below for I would wish to have a service state history of all my servers in my enviroment for past 1day. However the results turned out not the way I expected it to be.

index=windows sourcetype="WMI:Services" host=* earliest=-1d@d latest=now |
        streamstats current=false last(State) AS new_state last(_time) AS time_of_change BY DisplayName |
        where State != new_state |
        convert ctime(time_of_change) AS time_of_change |
        rename State AS old_state |
        table time_of_change host DisplayName old_state new_state

Did I miss out anything? Would be grateful if somebody pointed me in the right direction.

Thanks!