I'm trying to collect the status of two windows services but I don't need the status of the rest of the services on the boxes. If I put in a WinHostMon stanza it collects everything but I can't seem to whitelist just the two I want.
Is there an easy way to do this without creating a props and transform?
I tried configuring at WMI stanza but I don't have something incorrect.
See my example stanza below:
[WMI:Services] interval = 300 disabled = 0 index = MyIndex sourcetype = dwps-service whitelist = "service1" whitelist1 = "service2" wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service
I would just grab all the services and filter within Splunk.
If you really don't want to go that route, you should be able to do this:
[WMI:Services] interval = 300 disabled = 0 index = MyIndex sourcetype = dwps-service wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service WHERE Name = "service1" OR Name = "service2"
See here for everything you can do with WMI querying: https://www.darkoperator.com/blog/2013/3/11/introduction-to-wmi-basics-with-powershell-part-3-wql-an...
Thanks for the response. I tried the above stanza with my two service names I'm shooting for but didn't get anything back.
This is what the event looks like when I pull it in with WinHostMon and for the in the wql statment above I'm using name = "Blue Prism Server"
Name="Blue Prism Server"
DisplayName="Blue Prism Server"
Description="The Blue Prism Server Service"
Path="C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe"