Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Service Check in Table

tmarlette
Motivator
‎02-25-2014 10:08 AM

I have quite a few services that I am looking to grab the latest state on, for each machine.

I am trying to come up with a couple different searches, and wanted to look here for some help.

  • I am trying to build a search that will table each of the services, and their latest state, by host. What I have so far is this:

sourcetype=WMI:Service Name=servicename host=hostname | stats latest(State) by host,Name

  • The next search I'm trying to create is one to search for an 'OK' state based upon the parameters I give it. This would be a set of services that are in an 'up' state, and if any one of them are down, then it reports a 'Bad' state. I'm doing something like this currently:

    sourcetype=WMI:Service (Name= OR Name= OR Name= OR name= OR Name=) | dedup host | eval State = if(State == Running, "OK", "Down") | stats latest(State) by _time,host

I believe this is giving me the latest results, all together. Is there a better way to do either of these?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎02-25-2014 11:44 AM

Hello,
you would probably better of use the dedup option for getting the latest state of the service. As i see you are using WMI query which is itself giving the proper state and staus of the service you need not do these many things. So i would go with

sourcetype=WMI:Service Name=servicename host=hostname|dedup service,host|Table host,Name

You will always get the latest record recieved from the forwarder.

Similarly for the second one you should be doing dedup on host,Name as well.

sourcetype=WMI:Service (Name=<svc_1> OR Name=<svc_2> OR Name=<svc_3> OR name=<svc_4> OR Name=<svc_5>) | dedup host,Name | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name"

And for saving some indexing you can filter out you service definition with same WMI query and make a where condition not to send data if the services are not stopped.

SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service Where (Name = svc1 Or Name = svc2) AND Status = "Stopped"

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎02-25-2014 11:44 AM

Hello,
you would probably better of use the dedup option for getting the latest state of the service. As i see you are using WMI query which is itself giving the proper state and staus of the service you need not do these many things. So i would go with

sourcetype=WMI:Service Name=servicename host=hostname|dedup service,host|Table host,Name

You will always get the latest record recieved from the forwarder.

Similarly for the second one you should be doing dedup on host,Name as well.

sourcetype=WMI:Service (Name=<svc_1> OR Name=<svc_2> OR Name=<svc_3> OR name=<svc_4> OR Name=<svc_5>) | dedup host,Name | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name"

And for saving some indexing you can filter out you service definition with same WMI query and make a where condition not to send data if the services are not stopped.

SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service Where (Name = svc1 Or Name = svc2) AND Status = "Stopped"

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...