Getting Data In

Windows Machines not rebooted in the last 45 days

New Member

Hello all,

I am trying to build a report of any windows machines not rebooted in the last 45 days and just need some help working through it.

So far I know that searching :
index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 | dedup host | stats count by host

returns all machines that have rebooted. I am just struggling with how to take this and compare this list against all other hosts and then only display the ones that did not have this event in the last 45 days. Any help is much appreciated.

Tags (2)
0 Karma
1 Solution

Legend

Hi @tkerr1357,
you have to create a lookup with all the server you're monitoring (called e.g. perimeter.csv) where there's at least one field called host.
Then you have to run a search like this:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have all the servers of you perimeter that didin't have EventCode=6006.

This is a very slow search, to schedule by night.

If instead you want to have a dashboard with all the last reboots and evidence of not rebooted servers, you should build something like this:
schedule a search every night (e.g. at 00.15) and save results in a summary:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 earliest=-d@d latest=@d
| eval host=lower(host)
| stats latest( _time) AS _time BY host
| collect index=my_summary_index

Then run a search like this:

index=my_summary_index
| eval host=lower(host)
| stats latest(_time) AS _time count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0, _time="No reboots in last period" | fields host count _time ]
| stats values(_time) AS _time sum(count) AS total BY host

In this way you have the reboot status of each host.

Ciao.
Giuseppe

View solution in original post

0 Karma

Ultra Champion
| tstats count where index=mywindowseventlogindex sourcetype=wineventlog:system TERM("EventCode") TERM("6006") by host _time span=1d prestats=t
| timechart count by host
| untable _time host count
| stats max(eval(if(count > 0,_time,NULL))) as _time by host
`comment("_time is latest_reboot time.")`

It seems that tstats can be used, so if you set time piker to the past two months, it may not take long.

0 Karma

Legend

Hi @tkerr1357,
you have to create a lookup with all the server you're monitoring (called e.g. perimeter.csv) where there's at least one field called host.
Then you have to run a search like this:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have all the servers of you perimeter that didin't have EventCode=6006.

This is a very slow search, to schedule by night.

If instead you want to have a dashboard with all the last reboots and evidence of not rebooted servers, you should build something like this:
schedule a search every night (e.g. at 00.15) and save results in a summary:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 earliest=-d@d latest=@d
| eval host=lower(host)
| stats latest( _time) AS _time BY host
| collect index=my_summary_index

Then run a search like this:

index=my_summary_index
| eval host=lower(host)
| stats latest(_time) AS _time count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0, _time="No reboots in last period" | fields host count _time ]
| stats values(_time) AS _time sum(count) AS total BY host

In this way you have the reboot status of each host.

Ciao.
Giuseppe

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

See https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, an upvote would be appreciated.
0 Karma