How to search and alert when when my machines with...

deepthi5 · ‎09-08-2015

Hi ,

I have 10 machines installed with the Splunk forwarder and I need a search to alert and send an email whenever my machines restart consecutively within a 1 hour span of time.

Thanks and Regards,
Deepthi Bulusu

somesoni2 · ‎09-08-2015

Make this search run every 30 mins

index=_internal sourcetype=splunkd (host=host1 OR host=host2 OR host=host3.... OR host=host10) component=loader "Splunkd starting"  earliest=-2h | table host _time component | sort 0 host _time | streamstats current=f window=1 values(_time) as prev by host | eval duration=_time-prev | where duration<3600 | dedup host

deepthi5 · ‎09-10-2015

Hi somesoni

Thanks for the quick response this works fine but is their any other way apart from getting the status based on SPLUNKd starting can we get these from any other windows event logs or sooo pls help me

somesoni2 · ‎09-10-2015

There could be other ways but I'm pretty sure I don't use that so won't be able to give you samples. But here is a link which talks about Windows event log for service start/stop. If you've that ingested in Splunk, use the similar format as in my answer to achieve the same,
http://stackoverflow.com/questions/1067531/are-there-any-log-file-about-windows-services-status

Find restart events in past 2h | sort ..| streamstats... rest of the search

woodcock · ‎09-10-2015

Like I said, give us a search that shows a machine's restart and the log that that search returns.

woodcock · ‎09-08-2015

Give us a search that shows a machine's restart and the log that that search returns.

How to search and alert when when my machines with Splunk forwarders restart consecutively within 1 hour?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes