Hello all
I want to check the status and the start mode of the 2 services below and I wrote this code.
Does it seem to be ok?
[WinHostMon://service]
type = service
interval = 3600
index = winsvc
disabled = 1
Name = "CcmExec" OR "RCAgentMgr" OR "WMI"
Status = "Arrêté"
Start mode = "Manuel" OR "Désactivé"
Thanks
Please write splunk query like this
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"
then select the time range as 60 minutes
oh thanks!
sorry i a m rouky and i didnt male any elearning so it s difficut for me
i have a last question
when we wrire an spl command how do we do to know the exact name of a field in the index
we are obliged to display fils like this :
index=_internal | stats values(*) AS * | transpose | table column | rename column AS Fieldnames
thanks again
index=_internal | fieldsummary
here you can see all the field summary. Please refer this document for more help
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Fieldsummary
sorry i have forgotten "error"
so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup"| "error" | table disabled time range 120 minute??
Index = main followTail=0 _TCP_ROUTING="pnlogGroup" "error" | table disabled
Then select time range 120 minutes
so index=main | followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled time range 120 minute??
so the entire SPL command is :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute ???
or does it miss some informations??
You have to add the index in the query..
Index = winsvc
Please refer previous example
so the entire SPL command is just this? :
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1 time range 120 minute
Nathan
1) OK for this answer
2) I dont understand
i use the code below because i want to find the word "error" in C:\Tools\Flags
but i dont know why you put : | table disabled???? disabled = 0 ou 1....
so where i put the word "error" in my SPL command???
[monitor://C:\Tools\Flags]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0 AND _TCP_ROUTING = pnlogGroup
if you want to add "error"
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" "error" disabled=1
time range 120 minute
Please refer the document which will help you for outputs.conf
https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Outputsconf
1)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Start mode = "Manuel" OR Start mode = "Désactivé" | table Status
if status is active then service is up else vice versa
2)
followTail = 0 AND _TCP_ROUTING = "pnlogGroup" | table disabled
time range 120 minute
based on disabled value you can consider whether its up or down
disabled = 1 AND followTail = 0 AND _TCP_ROUTING = "pnlogGroup"
then select the time range as 2 minute
Thanks but you dont have responded to all my questions 😉
i have responded to your previous questions.
please ask if i missed anything
Yes you have missed this logloganathan
1) which SPL command i have to write for checking if the service is up or down? (see code below)
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"
2) which SPL command i have to write for checking a filethe service is up or down? (see code below)
[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0 AND _TCP_ROUTING = pnlogGroup
THANKS
hello all, nobody for helping me please??
Thanks very much lolloganathan!
i have 2 others questions
1) now i have modified inputs.conf which SPL command i have to write for checking if the service is up or down?
2) i wrote the code below for monitoring a file in splunk
Does it seems to be ok?
Same question : which SPL command i have to write for checking the log from SPLUNK?
Sorry i am rouky
[monitor://C:\Windows\Logs\CBS]
interval = 120
whitelist = .log$
disabled = 1
followTail = 0
_TCP_ROUTING = pnlogGroup
thanks
Please write splunk query like this
index = winsvc type = service disabled = 1 Name = "CcmExec" OR Name = "RCAgentMgr" OR Name = "WMI" Status = "Arrêté" Start mode = "Manuel" OR Start mode = "Désactivé"
then select the time range as 60 minutes