Getting Data In

How to search and alert when when my machines with Splunk forwarders restart consecutively within 1 hour?

deepthi5
Path Finder

Hi ,

I have 10 machines installed with the Splunk forwarder and I need a search to alert and send an email whenever my machines restart consecutively within a 1 hour span of time.

Thanks and Regards,
Deepthi Bulusu

0 Karma

somesoni2
Revered Legend

Make this search run every 30 mins

index=_internal sourcetype=splunkd (host=host1 OR host=host2 OR host=host3.... OR host=host10) component=loader "Splunkd starting"  earliest=-2h | table host _time component | sort 0 host _time | streamstats current=f window=1 values(_time) as prev by host | eval duration=_time-prev | where duration<3600 | dedup host
0 Karma

deepthi5
Path Finder

Hi somesoni

Thanks for the quick response this works fine but is their any other way apart from getting the status based on SPLUNKd starting can we get these from any other windows event logs or sooo pls help me

0 Karma

somesoni2
Revered Legend

There could be other ways but I'm pretty sure I don't use that so won't be able to give you samples. But here is a link which talks about Windows event log for service start/stop. If you've that ingested in Splunk, use the similar format as in my answer to achieve the same,
http://stackoverflow.com/questions/1067531/are-there-any-log-file-about-windows-services-status

Find restart events in past 2h | sort ..| streamstats... rest of the search
0 Karma

woodcock
Esteemed Legend

Like I said, give us a search that shows a machine's restart and the log that that search returns.

0 Karma

woodcock
Esteemed Legend

Give us a search that shows a machine's restart and the log that that search returns.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!