- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: using transaction to check service status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using transaction to check service status
Hi 🙂
we have McAfee Solidifier (software for real-time change monitoring to software code and servers configuration ) .
Solidifier is installed on users PC's ,but unfortunately users with administrative privileges can stop Solidifier services and hence stop monitoring !!
Using Splunk , we are monitoring McAfee Solidifier service status if it's running or stopped but
when user's PC is going to halt ( shutdown) , windows system will generate a message that McAfee Solidifier service has stopped then another message that system will shutdown .
like this :
Message=The McAfee Solidifier service entered the stopped state.
Then :
Message=The operating system is shutting down at system time 2016-03-30T13:15:00.728125000Z.
i need to get alert only when Solidifier service is stopped but no shutdown event is generated after it (as in normal shutdown process )
i used this query but it's not working as expected :
index="*" EventType=4 | transaction ComputerName startswith="The McAfee Solidifier service entered the stopped state" endswith=search(body!="The operating system is shutting"* ) maxpause=60s
kindly find log events sample below :
04:14:56 PM
LogName=System
SourceName=Microsoft-Windows-Service Control Manager
EventCode=7036
EventType=4
Type=Information
ComputerName=QC2
TaskCategory=The operation completed successfully.
OpCode=The operation completed successfully.
RecordNumber=408853
Keywords=Classic
Message=The McAfee Solidifier service entered the stopped state.
04:15:00 PM
LogName=System
SourceName=Microsoft-Windows-Kernel-General
EventCode=13
EventType=4
Type=Information
ComputerName=QC2
TaskCategory=None
OpCode=Info
RecordNumber=408854
Keywords=None
Message=The operating system is shutting down at system time 2016-03-30T13:15:00.728125000Z
Thanks .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, avoid transaction; try this:
index="*" EventType=4 ("The McAfee Solidifier service entered the stopped state" OR "The operating system is shutting")
| reverse | streamstats count(searchmatch("The McAfee Solidifier service entered the stopped state")) AS SessionID BY ComputerName
| reverse | streamstats current=f last(_time) AS next_time BY SessionID ComputerName
| eval delta = next_time - _time
| where isnull(next_time) OR delta<=60
This will show every "stop event" which either does not have a "shutdown" event (or has one, but it is father than 60 seconds later). I think probably you do not need the delta stuff at all (you probably only had that to keep transaction from blowing up).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ woodcock Thanks a lot for your kind support 🙂
i will check and follow up soon . Thanks
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
