Skip to main content
Splunk Lantern

Current state of Windows services on a host

You might want to see the current state one or more services running on a host when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Many critical IT applications and services running on Windows operating systems run as a Windows Service. If an expected Windows Service is not currently in a running state, it may result in stability issues for a critical application. You want to be able to see the current state one or more services running on a host.

To optimize the search shown below, you should specify an index and a time range.

  1. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
host="<name of host to check>" DisplayName="<name of service to check>" sourcetype=WinHostMon source=service
| rename DisplayName AS "Service"
| stats latest(State) AS State BY host Service Path

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
host="<name of host to check>" DisplayName="<name of service to check>" Search index(es) where Windows service status data is being collected and filter down to the desired host(s) and service(s) to check.
sourcetype=WinHostMon source=service Search only Windows host monitoring data.
| rename DisplayName AS "Service" Rename the field as shown for better readability.
| stats latest(State) AS State BY host Service Path Return the most current value for the Service State for each host and service.  Include the path used to launch the service in the results for additional context.

Result

Use these results to monitor services and proactively manage potential stability issues.

  • Was this article helpful?