You might want to see the current state one or more services running on a host when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Many critical IT applications and services running on Windows operating systems run as a Windows Service. If an expected Windows Service is not currently in a running state, it may result in stability issues for a critical application. You want to be able to see the current state one or more services running on a host.
To optimize the search shown below, you should specify an index and a time range.
- Verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search:
host="<name of host to check>" DisplayName="<name of service to check>" sourcetype=WinHostMon source=service | rename DisplayName AS "Service" | stats latest(State) AS State BY host Service Path
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|host="<name of host to check>" DisplayName="<name of service to check>"||Search index(es) where Windows service status data is being collected and filter down to the desired host(s) and service(s) to check.|
|sourcetype=WinHostMon source=service||Search only Windows host monitoring data.|
|| rename DisplayName AS "Service"||Rename the field as shown for better readability.|
|| stats latest(State) AS State BY host Service Path||Return the most current value for the Service State for each host and service. Include the path used to launch the service in the results for additional context.|
Use these results to monitor services and proactively manage potential stability issues.