All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where can I get SystemUpTime to configure Anomalous System Uptime in the Splunk App for PCI Compliance?

kmedina1
Explorer
‎08-11-2015 01:12 PM

Folks,

I am looking to configure the Anomalous System Uptime report within the PCI app. As per the manual: "Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts." Is then the Splunk_TA_windows pre-configured to pull the SystemUpTime? I cannot seem to find anything related to system uptime within the Windows logs; I tried looking at the data by doing sourcetype=Win*.

What does "data extracted through scripts" mean? Is this something that the Splunk Admin has to pull via Scripted Inputs?

Thanks!

http://docs.splunk.com/Documentation/PCI/2.1.1/Install/AnomalousSystemUpdate

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-29-2015 07:29 PM

There is a system uptime reported by windows as part of the system events around midnight each night. Some details on the event with the portions I think are pertinent to finding these events in bold:

LogName=System
SourceName=EventLog
EventCode=6013
EventType=4
Type=Information
ComputerName=MyComputerName
TaskCategory=None
OpCode=None
RecordNumber=93763
Keywords=Classic
Message=The system uptime is 7593 seconds

If it isn't extracted, you could of course exctract the uptime with a rex, perhaps like 

... | rex field=Message "uptime is (?<uptime>\d+) seconds"

So if that's needed, there it is.

For ease of use, if you wanted, here's a few more calculations:

sourcetype="WinEventLog:system" EventCode=6013 
|rex field=Message "uptime is (?<uptime>\d+) seconds" 
| eval Uptime_Minutes=uptime/60 
| eval LastBoot=_time-uptime 
| convert  ctime(LastBoot) 
| table _time, host, Message, uptime, Uptime_Minutes, LastBoot

Have fun!

0 Karma
Reply

prshntgbhat
New Member
‎04-30-2018 10:50 AM

Great.. It helped..

0 Karma
Reply

kmedina1
Explorer
‎09-17-2015 08:02 AM

Thanks rich! Actually, what I was looking was more on the line of Scripted Inputs. By going to WMI.conf we were able to enable the call that brings back the SystemUpTime and light up one of the dashboards of the PCI App.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎09-17-2015 08:09 AM

Your comment sounds like you solved the problem on your own.

If that is the case, why don't you convert your comment above to an answer, add a bit more detail to make it easier for others with this problem to follow along, then mark your answer as The One True Answer? It is OK to do that when it's appropriate and it'll help people in the future!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...