This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need
|
1 |
source=wineventlog:application |
|
1 |
source=wineventlog:security |
|
1 |
source=wineventlog:system |
|
1 |
host="*" source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message |
This Splunk Query will return results for any Windows Service that has started. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/
|
1 |
sourcetype=WinEventLog:Application EventCode=105 | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, SourceName, host | sort - Date | fields - count |
This splunk query will return results for any Windows Service that has been stopped. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/
|
1 |
sourcetype=WinEventLog:Application EventCode=108 | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, SourceName, host | sort - Date | fields - count |
