- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Service Check in Table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have quite a few services that I am looking to grab the latest state on, for each machine.
I am trying to come up with a couple different searches, and wanted to look here for some help.
- I am trying to build a search that will table each of the services, and their latest state, by host. What I have so far is this:
sourcetype=WMI:Service Name=servicename host=hostname | stats latest(State) by host,Name
The next search I'm trying to create is one to search for an 'OK' state based upon the parameters I give it. This would be a set of services that are in an 'up' state, and if any one of them are down, then it reports a 'Bad' state. I'm doing something like this currently:
sourcetype=WMI:Service (Name=
OR Name= OR Name= OR name= OR Name= ) | dedup host | eval State = if(State == Running, "OK", "Down") | stats latest(State) by _time,host
I believe this is giving me the latest results, all together. Is there a better way to do either of these?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
you would probably better of use the dedup option for getting the latest state of the service. As i see you are using WMI query which is itself giving the proper state and staus of the service you need not do these many things. So i would go with
sourcetype=WMI:Service Name=servicename host=hostname|dedup service,host|Table host,Name
You will always get the latest record recieved from the forwarder.
Similarly for the second one you should be doing dedup on host,Name as well.
sourcetype=WMI:Service (Name=<svc_1> OR Name=<svc_2> OR Name=<svc_3> OR name=<svc_4> OR Name=<svc_5>) | dedup host,Name | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name"
And for saving some indexing you can filter out you service definition with same WMI query and make a where condition not to send data if the services are not stopped.
SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service Where (Name = svc1 Or Name = svc2) AND Status = "Stopped"
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
you would probably better of use the dedup option for getting the latest state of the service. As i see you are using WMI query which is itself giving the proper state and staus of the service you need not do these many things. So i would go with
sourcetype=WMI:Service Name=servicename host=hostname|dedup service,host|Table host,Name
You will always get the latest record recieved from the forwarder.
Similarly for the second one you should be doing dedup on host,Name as well.
sourcetype=WMI:Service (Name=<svc_1> OR Name=<svc_2> OR Name=<svc_3> OR name=<svc_4> OR Name=<svc_5>) | dedup host,Name | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name"
And for saving some indexing you can filter out you service definition with same WMI query and make a where condition not to send data if the services are not stopped.
SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service Where (Name = svc1 Or Name = svc2) AND Status = "Stopped"
Thanks
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
