This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need source=wineventlog:application source=wineventlog:security source=wineventlog:system host=”*” source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message
Start a Windows Service
This Splunk Query will return results for any Windows Service that has started. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Application EventCode=105 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, SourceName, host | sort – Date | fields – count
Shutdown or Suspend a Service in Windows
This splunk query will return results for any Windows Service that has been stopped. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ sourcetype=WinEventLog:Application EventCode=108 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by Date, SourceName, host | sort – Date | fields – count
