As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself. index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”
Windows Power Off Duration
This query will indicate the time it took between a computer shutdown and a computer powering back on. Typically found in restarts and shutdowns. This would not occur during a hard-reset or loss of power. sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) | transaction host startswith=”EventCode=6006″ endswith=”EventCode=6005″ | eval restart_duration=tostring(duration,”duration”) | eval Date=strftime(_time, “%Y/%m/%d”)| where duration > 480 […]