How To Restart A Windows-based Service From A Trig...

bennykhoo · ‎11-16-2018

Hi,

I have created a Splunk alert that will be triggered when a Windows-based service is down (ie. Print Spooler). For example, it will check a list of servers real-time and display the server/host if the Print Spooler service is down. My question is how do I automatically restart that Windows > Print Spooler service using the "Run a script" action from the alert? Do I need to create a batch script and put in the "$SPLUNK_HOME/bin/scripts" folder? Our Splunk search heads/indexer are running on Linux.

Can someone help with an example on what the script should look like? Do I just create a simple batch script with the following line...

sc.exe start "Print Spooler"

Also, do I need to pass the $result.host$ to the script so that it knows which server/host to run the script?

Thank you for your advice.

sals1648 · ‎04-04-2019

I'd like to know the same thing. I've been trying to do something very similar for about 6 months and read every document splunk has and nothing seems to work.

How To Restart A Windows-based Service From A Triggered Alert - Run A Script

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation