Many critical IT applications and services running on Windows operating systems run as a Windows Service. If an expected Windows Service is not currently in a running state, it may result in stability issues for a critical application. You want to be able to see the current state one or more services running on a host.
Microsoft: Windows update logs
- Verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
host="<name of host to check>" DisplayName="<name of service to check>" sourcetype=WinHostMon source=service | rename DisplayName AS "Service" | stats latest(State) AS State BY host Service Path
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|host="<name of host to check>" DisplayName="<name of service to check>"||Search index(es) where Windows service status data is being collected and filter down to the desired host(s) and service(s) to check.|
|sourcetype=WinHostMon source=service||Search only Windows host monitoring data.|
|| rename DisplayName AS "Service"||Rename the field as shown for better readability.|
|| stats latest(State) AS State BY host Service Path||Return the most current value for the Service State for each host and service. Include the path used to launch the service in the results for additional context.|
Use these results to monitor services and proactively manage potential stability issues.
You might be interested in other processes associated with the Maintaining Microsoft Windows systems use case.