The following query shows uptime of all systems over a certain period of time (days_uptime). Replace my indexes w/ yours.
index=os OR index=idx_appdev sourcetype=Unix:Uptime OR sourcetype="WMI:Uptime" |dedup host |eval DaysUp=round(SystemUpTime/86400,2) |eval Years=round(DaysUp/365,2) |eval Months=round(DaysUp/30,2)|search DaysUp > $days_uptime$ | table host DaysUp Years Months SystemUpTime |sort - SystemUpTime |
Looks like:
hostname | DaysUP | Years | Months | SystemUpTime
and $days_uptime$ is a text box in my case.
I dont see sourcetype=”WMI:Uptime” in Windows TA. How do we get it
If you are using splunk TA for UNIX and Windows:
(index=osunix sourcetype=”Unix:Uptime”) OR (index=wineventlog sourcetype=”WinEventLog:System” EventCode=6013)| rex field=Message “uptime is (?\d+) seconds” |dedup host |eval DaysUp=round(SystemUpTime/86400,2) |eval Years=round(DaysUp/365,2) |eval Months=round(DaysUp/30,2)|search DaysUp > $days_uptime$ | table host DaysUp Years Months SystemUpTime |sort host(index=osunix sourcetype=”Unix:Uptime”) OR (index=wineventlog sourcetype=”WinEventLog:System” EventCode=6013)| rex field=Message “uptime is (?\d+) seconds” |dedup host |eval DaysUp=round(SystemUpTime/86400,2) |eval Years=round(DaysUp/365,2) |eval Months=round(DaysUp/30,2)|search DaysUp > $days_uptime$ | table host DaysUp Years Months SystemUpTime |sort host
sorry but that command does not work on Windows