Re: Check Windows Service status and return state ...

lbrhyne · ‎02-05-2021

Hello...

I'm trying to create a lookup table of windows hosts running CrowdStrike, Tenable, Bitlocker, Splunk, and DHCP then return the state of the service. If the service is not installed, then note that the service is not installed. The problem I have is the service status in not reporting back as expected in each column.

Host	CrowdStrike	Tenable	Splunk	Bitlocker
PC-01	Running	Not installed	Running	Stopped

index=windows  source="kiwi syslog server" Name="CSFalconService" OR Name="Tenable Nessus Agent" OR Name="SplunkForwarder" OR Name="Dhcp" OR Name="BDESVC"
| stats values(*) AS * max(_indextime) as indextime BY host

| eval crowdstrike=if(Name=="CSFalconService", State ,"CS Agent Not Installed")
| eval tenable=if(Name=="Tenable Nessus Agent", State , "Tenable Agent Not Installed")
| eval splunk=if(Name=="SplunkForwarder", State, "Splunk Agent Not Installed")
| eval bitlocker=if(Name=="BDESVC", State,"Bitlocker Service Not Installed")

| table host crowdstrike tenable splunk bitlocker

Any help would be greatly appreciated!

scelikok · ‎02-06-2021

Hi @lbrhyne,

Please try below;

index=windows  source="kiwi syslog server" (Name="CSFalconService" OR Name="Tenable Nessus Agent" OR Name="SplunkForwarder" OR Name="Dhcp" OR Name="BDESVC")
| chart latest(State) as State over Name by host 
| fillnull value="Not Installed" 
| transpose header_field=Name

If this reply helps you an upvote and "Accept as Solution" is appreciated.

lbrhyne · ‎02-06-2021

Thank you @scelikok !

This worked perfectly! Almost. The query return the data in the format I was looking for, however it only returning 11 rows of data, where there should be a 1000+.

On another note... Leave it to me to totally overthink the logic. Thanks again.

Check Windows Service status and return state or not found

development

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life