Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to monitor a windows service, send an alert and restart the service?

sekhar463
Path Finder
‎10-17-2022 04:16 AM

hai all How to monitor a windows service, send an alert and restart the service?

what was the required configuration.

Labels (1)
Labels
0 Karma
Reply

sekhar463
Path Finder
‎10-17-2022 04:54 AM

how we can  run a script that restarts the remote service or send the request to a SOAR.

can you tell me the script.

generally windows services path will be Path="C:\WINDOWS\system32\svchost.exe

so what will be the script

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2022 05:13 AM

Hi @sekhar463,

i haven't the script because I'm not a Windows specialist, but here you could find the script you need.

https://serverfault.com/questions/25081/how-do-i-restart-a-windows-service-from-a-script

For the SOAR, it depends on the SOAR you have, e.g. if you have Splunk Phantom it's already integrated, otherwise you need a script.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎10-17-2022 06:59 AM

if it was linux then how we can use the script to start a service from splunk if service down

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2022 07:11 AM

Hi @sekhar463,

you have to create a script containing a remete shell command to restart the service.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-17-2022 04:38 AM

Hi @sekhar463,

your question is just a little more complicated:

youcan monitor your windows server, using a Forwarder and an Add-On (Splunk_TA_Windows) that I suppose you already installed and configured.

Then you can monitor a service using a simple search

index=windows sourcetype=WinHostMon Type=Service host=<your_host Name=<your_service>
| table Name DisplayName Description Path Started StartMode State
| where state=down

Then you can create an alert to send an email and eventually run a script that restarts the remote service or send the request to a SOAR.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...