Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to collect Windows service status

morphis72
Path Finder
‎10-31-2019 03:04 PM

I'm trying to collect the status of two windows services but I don't need the status of the rest of the services on the boxes. If I put in a WinHostMon stanza it collects everything but I can't seem to whitelist just the two I want.

Is there an easy way to do this without creating a props and transform?
I tried configuring at WMI stanza but I don't have something incorrect.
See my example stanza below:

[WMI:Services]
interval = 300
disabled = 0
index = MyIndex
sourcetype = dwps-service
whitelist = "service1"
whitelist1 = "service2"
wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service
0 Karma
Reply

jacobpevans
Motivator
‎10-31-2019 03:33 PM

Greetings @morphis72,

I would just grab all the services and filter within Splunk.

If you really don't want to go that route, you should be able to do this:

 [WMI:Services]
 interval = 300
 disabled = 0
 index = MyIndex
 sourcetype = dwps-service
 wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service WHERE Name = "service1" OR  Name = "service2"

See here for everything you can do with WMI querying: https://www.darkoperator.com/blog/2013/3/11/introduction-to-wmi-basics-with-powershell-part-3-wql-an...

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

morphis72
Path Finder
‎11-01-2019 07:49 AM

Hi Jacob,

Thanks for the response. I tried the above stanza with my two service names I'm shooting for but didn't get anything back.

This is what the event looks like when I pull it in with WinHostMon and for the in the wql statment above I'm using name = "Blue Prism Server"

Type=Service
Name="Blue Prism Server"
DisplayName="Blue Prism Server"
Description="The Blue Prism Server Service"
Path="C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe"
ServiceType="Own Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...