I am setting up som alerts for windows services. using the code below. But sometimes I am getting an alert for a service that have the state "Running". We canĀ“t se that the service are stopped or restarted under the period. Does any one have an idea what could be wrong? Or should I change the query to something else?
I want an alert every time the service is stopped so the support team can take action.
ConfigurationData
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where (SvcName =~ "W3SVC")
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where SvcState != "Running"
Update:
There is a potential issue in your query, like below:
if the SvcState state is stopped at 2019/09/06 1:00 PM, then you fix the issue by restart it. Let's say it's running again in 2019/09/06 2:00 PM. But in your query, for example, the query runs from 2019/09/06 1:00 PM, it will always return a result to indicate the service is stopped(which is actually an old state in 1:00 pm, but the latest state is running in 2:00 pm)
So you should get the latest SvcState by using top 1 by TimeGenerated, which is ordered by desc in TimeGenerated by default.
Please try the code below:
ConfigurationData
| top 1 by TimeGenerated
| project Computer, SvcName, SvcDisplayName, SvcState, TimeGenerated
| where (SvcName =~ "W3SVC") and SvcState != "Running"
Related
I'm trying to have a quick overview on last heartbeats from all the workspaces we have.
Now, I can do that with this query, except for the watchlist line, because it uses the watchlist from the workspace where I'm doing the query, not from each of the other workspaces:
union
workspace("<workspace_id1").Heartbeat,
workspace("<workspace_id2").Heartbeat
| where TimeGenerated > ago(timeRange)
| where not (Computer in ( (_GetWatchlist('<watchlist_name>') | project SearchKey)) )
| summarize arg_max(TimeGenerated,*) by Computer, OSType
Is it possible to do it?
Thanks in advance
I am new to log analytics and am trying to get a list of PCs that have failed a process without subsequently succeeding.
In my example, a PC will log an error event 360 and can do this many times, until the issue is resolved, then it will log a 300 success.
I have 2 simple queries that return all the success and error logs:
Succeeds Log
Event
| where EventLog == "Microsoft-Windows-User Device Registration/Admin" | where EventID == "300"
| project Computer, TimeGenerated, EventLevelName, EventID, RenderedDescription
Error Log
Event
| where EventLog == "Microsoft-Windows-User Device Registration/Admin" | where EventID == "360"
| project Computer, TimeGenerated, EventLevelName, EventID, RenderedDescription
So I am looking to filter out all computers that have a 300 success log even if they have at some point failed (because they have been fixed).
Thanks.
I am new to splunk. Wanted to create a splunk alert to check if logs has been received from all the host or not and if not need to set a alert trigger.
| tstats latest(_time) as latest where index=* earliest=-24h by host
| eval recent = if(latest > relative_time(now(),"-5m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0
is the above splunk Query correct?
The query looks good, but the best way to know is to try it. Does it produce the desired results?
I am attempting to create an alert that lets me know if a data source stops providing logs to Sentinel. While I know it displays anomalies in log data on the dash board, I am hoping to receive alerts if a source stops providing logs for an extended period of time.
Something like creating a rule with the following query (CEF in this case):
CommonSecurityLog
| where TimeGenerated > ago(24h)
| summarize count() by DeviceVendor, DeviceProduct, DeviceName, DeviceExternalID
| where count_ == 0
Here's my Problem when I start the app. for example at 3:00 PM and I use the DateTime.Now.timeofday.tostring() and output it, it calls out 3:00 PM, but after waiting 5 mins (3:05) without closing the app, I still get the same output (3:00). how do I make sure that the time is always up to date without having to close the app.???
To get current time you may use either
DateTime.Now.ToLongTimeString()
or
DateTime.Now.ToShortTimeString()
It will get updated properly.