Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I monitor uptime of certain windows services?

saccam447
Explorer
‎12-08-2011 11:05 AM

Id like to monitor the services uptime of some of our mission critical servers i.e. IIS, DBs, Application Pools within IIS, etc.

Is there a way where I can do something like this?

Tags (3)
0 Karma
Reply

tred23
Path Finder
‎12-20-2016 12:50 AM

I found that using the WinHostMon sourcetype works better as the WMI sourcetype stopped reading after it encountered a space in the name of the service. It was also dedupping any services that had the same word before the space. WinHostMon reports correctly.

Here is the code I used:

index="windows" sourcetype="WinHostMon" source=service earliest="-24h@h" latest="now"  |
    stats latest(State) AS Status by host DisplayName |
    rename DisplayName AS "Display Name"

Hope that helps.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-08-2011 12:05 PM

One possible approach is by WMI. WMI provides the Win32_Service class which you can query in Splunk. then search upon the results.

I use this in wmi.conf to collect WMI information about running services so I can alert when a service that is expected to be running isn't.

[WMI:Services]
interval = 60
disabled = 0
index = default
wql = select Name, ProcessId, Caption, DisplayName, State, Status, StartName, SystemName from Win32_Service
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-15-2011 10:38 AM

Yes, you will need to make a .conf file to support this. What I provided is basically data capture. It will give you, every minute, a list of all of the NT services and their current state (Running, Stopped, Starting, etc). Doesn't care what the service is or what it does. From there, it's up to you to make a search that searches on the services you care about and their correct status.

0 Karma
Reply

cmahan
Path Finder
‎04-07-2016 09:42 AM

How do we limit to certain services? The volume of data is fairly huge with nearly 200 services on my servers. Killing my index volume. I really only care about a handful of the services.

0 Karma
Reply

moesaidi
Path Finder
‎02-20-2018 06:34 AM

Unfortunately there is no whitelist or blacklist available for WinHostMon so it monitors all services and indexes the data for all.
The "where" clause noted below will only limit the results after indexing.

0 Karma
Reply

joshuapetitt
Path Finder
‎10-05-2017 11:41 AM

you can use the where clause to limit the services

0 Karma
Reply

saccam447
Explorer
‎12-13-2011 04:28 PM

Will this monitor all services? including SQL and IIS?

Also do i need to create a conf file for this?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top