Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What search can I use to know if a service had been restart after a certain period of time?

7ryota
Explorer
‎04-05-2023 01:24 AM

hi all,

i have this logs which i am interested in know if there is a agent restarted after certain period when the agent got stop

 

index=unix sourcetype=syslog

centrifyEventID=17000    Centrify agent (adclient) started
centrifyEventID=17002    Centrify agent (adclient) stopped   

 

can help to to construct the query to search to if the agent got started within 10mins after the agent got stop

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-05-2023 04:40 PM

I am assuming that you asked this wrong and actually desire to know when there was a stop WITHOUT a start within 10-minutes.  If so:

index="unix" AND sourcetype="syslog" AND centrifyEventID IN("17000", "17002")
| reverse 
| streamstats count(eval(centrifyEventID="17000")) AS sessionID BY host 
| stats min(_time) AS _time range(_time) AS duration values(centrifyEventID) AS values dc(centrifyEventID) AS dc count BY sessionID host 
| rename COMMENT AS "Above is the setup, I *might* not have the logic exactly right below"
| where (dc==1 AND values=="17002" AND (now() - _time) > (10 * 60))
OR (dc==2 AND range > (10 * 60))
0 Karma
Reply

7ryota
Explorer
‎04-05-2023 01:35 AM

hi,

thanks for the fast reply,

how to i construct the query to search for unique host which had agent stop and search for restart within 10min

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-05-2023 01:52 AM

Hi @7ryota,

if you have more hosts, you have only to add host as grouping key in the stats command

index=your_index (centrifyEventID=17000 OR centrifyEventID=17002) earliest=-10m@m latest=now
| stats dc(centrifyEventID) AS centrifyEventID_count values(centrifyEventID) AS centrifyEventID BY host
| where centrifyEventID_count=1 AND centrifyEventID=17002

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-05-2023 01:31 AM

Hi @7ryota,

the centrifyEventID should be automaticaly extracted by Splunk so you shouldn't need to extract them, if not true, please telle me that I add a regex extraction.

Anyway, you have to run an alert using a search like the following:

index=your_index (centrifyEventID=17000 OR centrifyEventID=17002) earliest=-10m@m latest=now
| stats dc(centrifyEventID) AS centrifyEventID_count values(centrifyEventID) AS centrifyEventID
| where centrifyEventID_count=1 AND centrifyEventID=17002

in this way, if you have results, this means that the service was stopped and there wasn't any start event in the last ten minutes.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...