Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to collect Windows service status

morphis72
Path Finder
‎10-31-2019 03:04 PM

I'm trying to collect the status of two windows services but I don't need the status of the rest of the services on the boxes. If I put in a WinHostMon stanza it collects everything but I can't seem to whitelist just the two I want.

Is there an easy way to do this without creating a props and transform?
I tried configuring at WMI stanza but I don't have something incorrect.
See my example stanza below:

[WMI:Services]
interval = 300
disabled = 0
index = MyIndex
sourcetype = dwps-service
whitelist = "service1"
whitelist1 = "service2"
wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service
0 Karma
Reply

jacobpevans
Motivator
‎10-31-2019 03:33 PM

Greetings @morphis72,

I would just grab all the services and filter within Splunk.

If you really don't want to go that route, you should be able to do this:

 [WMI:Services]
 interval = 300
 disabled = 0
 index = MyIndex
 sourcetype = dwps-service
 wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service WHERE Name = "service1" OR  Name = "service2"

See here for everything you can do with WMI querying: https://www.darkoperator.com/blog/2013/3/11/introduction-to-wmi-basics-with-powershell-part-3-wql-an...

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

morphis72
Path Finder
‎11-01-2019 07:49 AM

Hi Jacob,

Thanks for the response. I tried the above stanza with my two service names I'm shooting for but didn't get anything back.

This is what the event looks like when I pull it in with WinHostMon and for the in the wql statment above I'm using name = "Blue Prism Server"

Type=Service
Name="Blue Prism Server"
DisplayName="Blue Prism Server"
Description="The Blue Prism Server Service"
Path="C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe"
ServiceType="Own Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...