I have 10 machines installed with the Splunk forwarder and I need a search to alert and send an email whenever my machines restart consecutively within a 1 hour span of time.
Thanks and Regards,
Make this search run every 30 mins
index=_internal sourcetype=splunkd (host=host1 OR host=host2 OR host=host3.... OR host=host10) component=loader "Splunkd starting" earliest=-2h | table host _time component | sort 0 host _time | streamstats current=f window=1 values(_time) as prev by host | eval duration=_time-prev | where duration<3600 | dedup host
Thanks for the quick response this works fine but is their any other way apart from getting the status based on SPLUNKd starting can we get these from any other windows event logs or sooo pls help me
There could be other ways but I'm pretty sure I don't use that so won't be able to give you samples. But here is a link which talks about Windows event log for service start/stop. If you've that ingested in Splunk, use the similar format as in my answer to achieve the same,
Find restart events in past 2h | sort ..| streamstats... rest of the search
Like I said, give us a search that shows a machine's restart and the log that that search returns.
Give us a search that shows a machine's restart and the log that that search returns.