I am looking to configure the Anomalous System Uptime report within the PCI app. As per the manual: "Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts." Is then the Splunk_TA_windows pre-configured to pull the SystemUpTime? I cannot seem to find anything related to system uptime within the Windows logs; I tried looking at the data by doing sourcetype=Win*.
What does "data extracted through scripts" mean? Is this something that the Splunk Admin has to pull via Scripted Inputs?
There is a system uptime reported by windows as part of the system events around midnight each night. Some details on the event with the portions I think are pertinent to finding these events in bold:
Message=The system uptime is 7593 seconds
If it isn't extracted, you could of course exctract the uptime with a rex, perhaps like
... | rex field=Message "uptime is (?<uptime>\d+) seconds"
So if that's needed, there it is.
For ease of use, if you wanted, here's a few more calculations:
sourcetype="WinEventLog:system" EventCode=6013 |rex field=Message "uptime is (?<uptime>\d+) seconds" | eval Uptime_Minutes=uptime/60 | eval LastBoot=_time-uptime | convert ctime(LastBoot) | table _time, host, Message, uptime, Uptime_Minutes, LastBoot
Thanks rich! Actually, what I was looking was more on the line of Scripted Inputs. By going to WMI.conf we were able to enable the call that brings back the SystemUpTime and light up one of the dashboards of the PCI App.
Your comment sounds like you solved the problem on your own.
If that is the case, why don't you convert your comment above to an answer, add a bit more detail to make it easier for others with this problem to follow along, then mark your answer as The One True Answer? It is OK to do that when it's appropriate and it'll help people in the future!