hai all,
i am checking about list of services down based on a host using below search
index=ivz_unix* Service source="Unix:Service" status=stopped
what was the search query use to check list of services down for a host based on host name.
for example i want to see for a host these services are in stopped state.
please help
i am not getting anything while checking with this
actually i want create a view as to check list of services in stopped state based on hostname
Perhaps if you could share some of your events (anonymised of course) and which fields you already have extracted, we might be able to help you a bit more.
hi events as for unix services data for source type Unix:Service"
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-done.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Stop Read-Ahead Data Collection"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-collect.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Collect Read-Ahead Data"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-modules-load.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Load Kernel Modules"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-ask-password-plymouth.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Forward Password Requests to Plymouth"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rpc-statd-notify.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Notify NFS peers of a restart"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Relabel all filesystems, if necessary"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel-mark.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Mark the need to relabel after reboot"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=pxp-agent.service, LOADED=not-found, ACTIVE=inactive, SUB=dead, DESCRIPTION="pxp-agent.service"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=plymouth-quit-wait.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Wait for Plymouth Boot Screen to Quit"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
What fields do you already have extracted?
Which part of the event tells you what the service is?
Which part of the event tells you the status of the service?
Already extracted the fields host , service name ,description and status
so i want to know how many services are down for a host.
Note that you will have to use the correct field names and values for your usecase and that the where command is case-sensitive
index=ivz_unix* Service source="Unix:Service"
| stats latest(status) as status by host Service
| where status="stopped"
| stats count by host
its giving 0 results
but while it has data,how we can filter to list only services for a host
It depends what events you have in your index (which you haven't shared).
Having said that, perhaps you want the latest status of the services on each host and count the number in the stopped state?
index=ivz_unix* Service source="Unix:Service"
| stats latest(status) as status by host Service
| where status="stopped"
| stats count by host