Hi!

Consider the following kpi base search monitoring the windows service state:

index=wineventlog sourcetype="WinEventLog:System" SourceName="Microsoft-Windows-Service Control Manager"
| rex field=Message "(The) (?<ServiceName>.+) (service entered the) (?<ServiceState>.+) "
| eval ServiceState=case(ServiceState=="running",2,ServiceState=="stopped",0,1==1,1)

 If I do not want to explicitly name the windows service in the base search how do I include the service name, here ServiceName, beside the entity_title=host in the later created ITSI episode.
Why? From the created episode we run a recovery action to restart a windows service when stopped. For this we need to know the service name and the host it is running on.

What we need is the entity_title=host and the whatsoever=ServiceName as dedicated fields available in the correlation search from this generic kpi base search. Performing an ITOA rest call is no problem.

Note: If I split by ServiceName then the service name becomes the entity_title and then the host is missing.

Maybe one having an idea which does help us. We just want to avoid creating one KPI per Windows Service.

Cheers

Peter