Windows Host Status (Red, Amber, Green)

nathanluke86 · ‎11-26-2019

Has anyone been able to create a single panel (Red, Amber, Green status) for a windows host to show if the host has critical performance issues etc.

We are trying to create this to show green as ok, amber, red as critical etc but are struggling with false positives.

We currently use SCOM so might it be worth ingesting these logs to create this?

Any suggestions of how to accomplish this would be appreciated.

We already have the Splunk app for infra but are trying to create a display dashboard that gives us a quick overview of our hosts to display on a screen.

We would like it to be a bit more than host not forwarding logs as the indicator of an issue.

Some dashboard examples would be a great help or just pointers that may help us achieve this.

TIA

to4kawa · ‎11-26-2019

Best Practices for implementing Windows OS monitoring

How about it?

gcusello · ‎11-26-2019

HI @nathanluke86,
could be more detailed when you speak of critical performaces issues?
Anyway, at first you have to create your searches to find the value for each host.
Then see in Splunk Dashboard Examples App, at Table Icon Set (Rangemap) dashboard to see how to display status in graphic mode.

This is an example:

<dashboard script="table_icons_rangemap.js" stylesheet="table_decorations.css">
    <label>Table Icon Set (Rangemap)</label>
    <description>Use Javascript and CSS in tables to convert rangemap results into icons.</description>
    <row>
        <table id="table1">
            <title>Render Icons based on rangemap result</title>
            <search>
                <query>
                    index=_internal
                    | stats count by sourcetype,source,host
                    | rangemap field=count low=0-100 elevated=101-1000 default=severe
                </query>
                <earliest>-1h</earliest>
            </search>
            <option name="drilldown">none</option>
        </table>
    </row>
</dashboard>

in which there are notable:

in the first row a css and a js to call;
the id=1 in table tag used by js;
the rangemap command used to define the threesholds for the different levels and icons.

Ciao.
Giuseppe

nathanluke86 · ‎11-26-2019

Hello @gcusello

Thanks for the reply.

This seems a good way to display the data but what we are trying to achieve is for Windows server health like cpu and critical errors etc that may affect users or customers.

I think we may have to use a third party tool to get the required result as we can't find anything that doesn't return false positives.

We need something like a lookup or script input that would flag critical events as we can't seem to find the right events to monitor in the windows logs.

Thanks

gcusello · ‎11-26-2019

HI @nathanluke86,
I don't know your need but, I hint to see the Splunk app for windows infrastructure, probably there's the searches you need, then you can display results in graphic mode as I said.
I don't like to use an externaltool (when I can).

Ciao.
Giuseppe

Windows Host Status (Red, Amber, Green)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Windows Host Status (Red, Amber, Green)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future