Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check the status and start mode of these services?

jip31
Motivator
‎03-22-2018 05:52 AM

Hello all
I want to check the status and the start mode of the 2 services below and I wrote this code.
Does it seem to be ok?

[WinHostMon://service]
type = service
interval = 3600
index = winsvc
disabled = 1
Name = "CcmExec" OR "RCAgentMgr" OR "WMI"
Status = "Arrêté"
Start mode = "Manuel" OR "Désactivé"

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

logloganathan
Motivator
‎03-22-2018 07:58 AM

Please write splunk query like this

index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"

then select the time range as 60 minutes

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 10:53 AM

oh thanks!
sorry i a m rouky and i didnt male any elearning so it s difficut for me
i have a last question
when we wrire an spl command how do we do to know the exact name of a field in the index
we are obliged to display fils like this :
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
thanks again

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-27-2018 02:16 AM

index=_internal | fieldsummary

here you can see all the field summary. Please refer this document for more help
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 10:29 AM

sorry i have forgotten "error"

so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup"| "error" | table disabled time range 120 minute??

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-26-2018 10:43 AM

Index = main followTail=0 _TCP_ROUTING="pnlogGroup" "error" | table disabled

Then select time range 120 minutes

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 10:04 AM

so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled time range 120 minute??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 09:05 AM

so the entire SPL command is :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute ???
or does it miss some informations??

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-26-2018 09:52 AM

You have to add the index in the query..

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-26-2018 09:58 AM

Index = winsvc
Please refer previous example

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 09:04 AM

so the entire SPL command is just this? :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-26-2018 07:02 AM

Nathan

1) OK for this answer
2) I dont understand
i use the code below because i want to find the word "error" in C:\Tools\Flags
but i dont know why you put : | table disabled???? disabled = 0 ou 1....
so where i put the word "error" in my SPL command???

[monitor://C:\Tools\Flags]
interval = 120

How often, in seconds, to poll for new data

whitelist = .log$

If set, Splunk Enterprise only monitors files whose names match the specified regular expression

disabled = 1

Whether or not to gather the performance data defined in this input

followTail = 0 AND _TCP_ROUTING = pnlogGroup

If set to 1, monitoring begins at the end of the file

Specifies a comma-separated list of tcpout group names Define the tcpout group names in outputs.conf

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-26-2018 07:45 AM

if you want to add "error"
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1
time range 120 minute
Please refer the document which will help you for outputs.conf

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Outputsconf

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-26-2018 04:35 AM

1)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Start mode = "Manuel" OR Start mode = "Désactivé" | table Status

if status is active then service is up else vice versa

2)
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled
time range 120 minute
based on disabled value you can consider whether its up or down

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-23-2018 03:38 AM

disabled = 1 AND followTail = 0 AND _TCP_ROUTING = "pnlogGroup"

then select the time range as 2 minute

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-23-2018 03:43 AM

Thanks but you dont have responded to all my questions 😉

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎03-23-2018 03:49 AM

i have responded to your previous questions.
please ask if i missed anything

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-23-2018 05:26 AM

Yes you have missed this logloganathan
1) which SPL command i have to write for checking if the service is up or down? (see code below)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"

2) which SPL command i have to write for checking a filethe service is up or down? (see code below)
[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0 AND _TCP_ROUTING = pnlogGroup

THANKS

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-25-2018 10:58 PM

hello all, nobody for helping me please??

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-22-2018 11:40 PM

Thanks very much lolloganathan!
i have 2 others questions
1) now i have modified inputs.conf which SPL command i have to write for checking if the service is up or down?
2) i wrote the code below for monitoring a file in splunk
Does it seems to be ok?
Same question : which SPL command i have to write for checking the log from SPLUNK?
Sorry i am rouky

[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0
_TCP_ROUTING = pnlogGroup

thanks

0 Karma
Reply
Solved! Jump to solution
Solution

logloganathan
Motivator
‎03-22-2018 07:58 AM

Please write splunk query like this

index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"

then select the time range as 60 minutes

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top