How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?
This is Windows boxes..What would be search for finding last reboot of server using event logs..and the date / time / user who last reboot the server?
The Event ID you are looking for is 1074. The syntax for this Event ID is (where %% are variables):
The process %% has initiated the %% of computer %% on behalf of user %% for the following reason: %%
Reason Code: %%
Shutdown Type: %%
Comment: %%
Since we don't know if field extraction is set up and the custom field names in your environment, we'll do a rex command (we'll assume the EventID is stored in the field EventCode at a minimum):
sourcetype="WinEventLog:*" EventCode=1074
| rex field=_raw "The process [^ ]+ has initiated the restart of computer (?<computer>[^ ]+) on behalf of user (?<calling_user>[^ ]+) for the following reason: (?<poweroff_reason>.*)"
| head 1
| table _time computer calling_user poweroff_reason
If field extraction is being done, remove the rex command and simply replace the field names in the table command.
Reference:
https://kb.eventtracker.com/evtpass/evtpages/EventId_1074_User32_46330.asp
https://shellgeek.com/event-id-1074-system-restart-or-shutdown/
Thank you above search worked but its not giving calling_user and Poweroff_reason details..Is anything need to modify in search..Pls advice..
Any updates? If this works accept the answer to close the question.
What you are asking depends on the operating system of the host you are asking for. Windows devices will log the information you are asking for differently than a *nix device.
If you are looking for the current uptime of a Splunk process (say Splunk Enterprise), you can run the following search:
index=_internal host=<hostname> "My hostname is"
| eval uptime_hours = round((now() - _time) / (60 * 60), 1)
| table uptime_hours
$SPLUNK_HOME/var/log/splunk/splunkd.log writes the message "My hostname is "<hostname>"" when an instance of Splunk is first started, so we can use this timestamp to determine the current uptime if a Splunk instance.
To answer the rest of your question we need more information.