Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I monitor uptime of certain windows services?

saccam447
Explorer
‎12-08-2011 11:05 AM

Id like to monitor the services uptime of some of our mission critical servers i.e. IIS, DBs, Application Pools within IIS, etc.

Is there a way where I can do something like this?

Tags (3)
0 Karma
Reply

tred23
Path Finder
‎12-20-2016 12:50 AM

I found that using the WinHostMon sourcetype works better as the WMI sourcetype stopped reading after it encountered a space in the name of the service. It was also dedupping any services that had the same word before the space. WinHostMon reports correctly.

Here is the code I used:

index="windows" sourcetype="WinHostMon" source=service earliest="-24h@h" latest="now"  |
    stats latest(State) AS Status by host DisplayName |
    rename DisplayName AS "Display Name"

Hope that helps.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-08-2011 12:05 PM

One possible approach is by WMI. WMI provides the Win32_Service class which you can query in Splunk. then search upon the results.

I use this in wmi.conf to collect WMI information about running services so I can alert when a service that is expected to be running isn't.

[WMI:Services]
interval = 60
disabled = 0
index = default
wql = select Name, ProcessId, Caption, DisplayName, State, Status, StartName, SystemName from Win32_Service
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-15-2011 10:38 AM

Yes, you will need to make a .conf file to support this. What I provided is basically data capture. It will give you, every minute, a list of all of the NT services and their current state (Running, Stopped, Starting, etc). Doesn't care what the service is or what it does. From there, it's up to you to make a search that searches on the services you care about and their correct status.

0 Karma
Reply

cmahan
Path Finder
‎04-07-2016 09:42 AM

How do we limit to certain services? The volume of data is fairly huge with nearly 200 services on my servers. Killing my index volume. I really only care about a handful of the services.

0 Karma
Reply

moesaidi
Path Finder
‎02-20-2018 06:34 AM

Unfortunately there is no whitelist or blacklist available for WinHostMon so it monitors all services and indexes the data for all.
The "where" clause noted below will only limit the results after indexing.

0 Karma
Reply

joshuapetitt
Path Finder
‎10-05-2017 11:41 AM

you can use the where clause to limit the services

0 Karma
Reply

saccam447
Explorer
‎12-13-2011 04:28 PM

Will this monitor all services? including SQL and IIS?

Also do i need to create a conf file for this?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...