Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows Machines not rebooted in the last 45 days

tkerr1357
Path Finder
‎01-31-2020 05:49 AM

Hello all,

I am trying to build a report of any windows machines not rebooted in the last 45 days and just need some help working through it.

So far I know that searching :
index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 | dedup host | stats count by host

returns all machines that have rebooted. I am just struggling with how to take this and compare this list against all other hosts and then only display the ones that did not have this event in the last 45 days. Any help is much appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-31-2020 11:59 PM

Hi @tkerr1357,
you have to create a lookup with all the server you're monitoring (called e.g. perimeter.csv) where there's at least one field called host.
Then you have to run a search like this:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have all the servers of you perimeter that didin't have EventCode=6006.

This is a very slow search, to schedule by night.

If instead you want to have a dashboard with all the last reboots and evidence of not rebooted servers, you should build something like this:
schedule a search every night (e.g. at 00.15) and save results in a summary:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 earliest=-d@d latest=@d
| eval host=lower(host)
| stats latest( _time) AS _time BY host
| collect index=my_summary_index

Then run a search like this:

index=my_summary_index
| eval host=lower(host)
| stats latest(_time) AS _time count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0, _time="No reboots in last period" | fields host count _time ]
| stats values(_time) AS _time sum(count) AS total BY host

In this way you have the reboot status of each host.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎02-01-2020 02:10 PM 
| tstats count where index=mywindowseventlogindex sourcetype=wineventlog:system TERM("EventCode") TERM("6006") by host _time span=1d prestats=t
| timechart count by host
| untable _time host count
| stats max(eval(if(count > 0,_time,NULL))) as _time by host
`comment("_time is latest_reboot time.")`

It seems that tstats can be used, so if you set time piker to the past two months, it may not take long.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-31-2020 11:59 PM

Hi @tkerr1357,
you have to create a lookup with all the server you're monitoring (called e.g. perimeter.csv) where there's at least one field called host.
Then you have to run a search like this:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

In this way you have all the servers of you perimeter that didin't have EventCode=6006.

This is a very slow search, to schedule by night.

If instead you want to have a dashboard with all the last reboots and evidence of not rebooted servers, you should build something like this:
schedule a search every night (e.g. at 00.15) and save results in a summary:

index=mywindowseventlogindex sourcetype=wineventlog:system EventCode=6006 earliest=-d@d latest=@d
| eval host=lower(host)
| stats latest( _time) AS _time BY host
| collect index=my_summary_index

Then run a search like this:

index=my_summary_index
| eval host=lower(host)
| stats latest(_time) AS _time count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0, _time="No reboots in last period" | fields host count _time ]
| stats values(_time) AS _time sum(count) AS total BY host

In this way you have the reboot status of each host.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2020 09:01 AM

See https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...