Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to collect Windows service status

morphis72
Path Finder
‎10-31-2019 03:04 PM

I'm trying to collect the status of two windows services but I don't need the status of the rest of the services on the boxes. If I put in a WinHostMon stanza it collects everything but I can't seem to whitelist just the two I want.

Is there an easy way to do this without creating a props and transform?
I tried configuring at WMI stanza but I don't have something incorrect.
See my example stanza below:

[WMI:Services]
interval = 300
disabled = 0
index = MyIndex
sourcetype = dwps-service
whitelist = "service1"
whitelist1 = "service2"
wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service
0 Karma
Reply

jacobpevans
Motivator
‎10-31-2019 03:33 PM

Greetings @morphis72,

I would just grab all the services and filter within Splunk.

If you really don't want to go that route, you should be able to do this:

 [WMI:Services]
 interval = 300
 disabled = 0
 index = MyIndex
 sourcetype = dwps-service
 wql = select Name, DisplayName, State, Status, StartName FROM Win32_Service WHERE Name = "service1" OR  Name = "service2"

See here for everything you can do with WMI querying: https://www.darkoperator.com/blog/2013/3/11/introduction-to-wmi-basics-with-powershell-part-3-wql-an...

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

morphis72
Path Finder
‎11-01-2019 07:49 AM

Hi Jacob,

Thanks for the response. I tried the above stanza with my two service names I'm shooting for but didn't get anything back.

This is what the event looks like when I pull it in with WinHostMon and for the in the wql statment above I'm using name = "Blue Prism Server"

Type=Service
Name="Blue Prism Server"
DisplayName="Blue Prism Server"
Description="The Blue Prism Server Service"
Path="C:\Program Files\Blue Prism Limited\Blue Prism Automate\BPServerService.exe"
ServiceType="Own Process"
StartMode="Manual"
Started=false
State="Stopped"
Status="OK"
ProcessId=0

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...