Get unexpected shutdown date with downtime duration

Mainly saving you the headache of handling hidden characters which made field extraction harder than it needed to be. source=”*WinEventLog:System” EventCode=6008 “unexpected” | rex “shutdown\s+at\s+(?<time>.*)\s+on\s+[^\d]?(?<month>\d+)\/[^\d]?(?<day>\d+)\/[^\d]?(?<year>\d+)\s+was” | eval shutdownTime = strptime(year.”-“.month.”-“.day.” “.time,”%Y-%m-%d %M:%H:%S %p”) | eval downTimeDays = round((_time-shutdownTime)/86400,2) | eval shutdownTime = strftime(shutdownTime,”%c”) | table _time, host, shutdownTime, downTimeDays

Continue Reading →

Monitor for Service Changes in Windows

The following splunk search looks for changes in services within Windows.   sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message  

Continue Reading →

Event Logs | System Logs | Warnings and Errors

This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need source=wineventlog:application source=wineventlog:security source=wineventlog:system host=”*” source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message

Continue Reading →

Unintended Windows Shutdowns

This splunk query will show any unintended Windows system Shutdowns. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/ sourcetype=”WinEventLog:system” EventCode=6008 | eval Date=strftime(_time, “%Y/%m/%d”) | table  Date host, index, Message  | sort  – Date

Continue Reading →

Windows Power Off Duration

This query will indicate the time it took between a computer shutdown and a computer powering back on. Typically found in restarts and shutdowns. This would not occur during a hard-reset or loss of power. sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith=”EventCode=6006″ endswith=”EventCode=6005″ | eval restart_duration=tostring(duration,”duration”) | eval Date=strftime(_time, “%Y/%m/%d”)| where duration > 480 […]

Continue Reading →