Splunk Search

How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

afraanajam
Loves-to-Learn Everything

How to search that shows the current uptime of the server? and the date / time / user who last reboot the server?

Labels (1)
0 Karma

afraanajam
Loves-to-Learn Everything

This is Windows boxes..What would be search for finding last reboot of server using event logs..and the date / time / user who last reboot the server?

0 Karma

ricotries
Communicator

The Event ID you are looking for is 1074. The syntax for this Event ID is (where %% are variables):

The process %% has initiated the %% of computer %% on behalf of user %% for the following reason: %%
Reason Code: %%
Shutdown Type: %%
Comment: %%

Since we don't know if field extraction is set up and the custom field names in your environment, we'll do a rex command (we'll assume the EventID is stored in the field EventCode at a minimum):

sourcetype="WinEventLog:*" EventCode=1074
| rex field=_raw "The process [^ ]+ has initiated the restart of computer (?<computer>[^ ]+) on behalf of user (?<calling_user>[^ ]+) for the following reason: (?<poweroff_reason>.*)"
| head 1
| table _time computer calling_user poweroff_reason

If field extraction is being done, remove the rex command and simply replace the field names in the table command.

Reference:

https://kb.eventtracker.com/evtpass/evtpages/EventId_1074_User32_46330.asp

https://shellgeek.com/event-id-1074-system-restart-or-shutdown/

 

0 Karma

afraanajam
Loves-to-Learn Everything

 

Thank you above search worked but its not giving calling_user and Poweroff_reason details..Is anything need to modify in search..Pls advice..

0 Karma

ricotries
Communicator

Any updates? If this works accept the answer to close the question.

0 Karma

ricotries
Communicator

What you are asking depends on the operating system of the host you are asking for. Windows devices will log the information you are asking for differently than a *nix device.

If you are looking for the current uptime of a Splunk process (say Splunk Enterprise), you can run the following search:

index=_internal host=<hostname> "My hostname is"
| eval uptime_hours = round((now() - _time) / (60 * 60), 1)
| table uptime_hours

$SPLUNK_HOME/var/log/splunk/splunkd.log writes the message "My hostname is "<hostname>"" when an instance of Splunk is first started, so we can use this timestamp to determine the current uptime if a Splunk instance.

To answer the rest of your question we need more information.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...