Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
 
 
 
Splunk Lantern

All Windows events on a host

 

Windows event logs provide valuable information that can be used during an investigation to facilitate answering questions about the hosts behavior, state, health, or performance. You want visibility into all Windows event logs on a host.

Data required

Microsoft: Windows update logs

Procedure

  1. In Splunk Enterprise or Splunk Cloud Platform, verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and universal forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    host="<name of host to check>" source=WinEventLog:* <optional keywords>
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
host="<name of host to check>" source=WinEventLog:* <optional keywords>

Search indexes where Windows event log data is being collected and filter down to the desired hosts to check.

Add optional keywords that are relevant to the investigation. For instance, adding service stopped to the search might help uncover instances where a service was stopped on the host. Otherwise, delete this part of the search.

Next steps

This information provided by this search can help in other investigations.

Additionally, you might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.