![]() ![]() You can also setup the final | search downTime>604800 condition in your alert directly so that you can see downtTime for various host through alert query and trigger only if downTime is greater than a week. | search State="stopped" AND downTime>604800 | rex field=message "The (?+) Service service entered the (?+) state." You should try to switch to stats instead to take advantage of map-reduce and faster search:ฤก) If you want to alert for stopped status per host where time is greater than a week you can just do a dedup for stopped state and calculate duration as now()-_time index=wineventlog eventtype=winsystem *The Windows Defender service entered* EventCode=7036 You can try adding keepevicted=true in your transaction query, but this will slow down event further. Since you are looking for more than one weeks data, transaction command may actually drop the events. The first 2 events are good but I don't want the last event. The Windows Defender Service service entered the stopped state. ![]() Mycomputer The Windows Defender Network Inspection Service service entered the stopped state. The Windows Defender Network Inspection Service service entered the stopped state. Mycomputer The Windows Defender Network Inspection Service service entered the running state. My search index=wineventlog eventtype=winsystem *The Windows Defender service entered* EventCode=7036 | transaction host maxevents=2 | eval DurationinMinutes=duration/60 | where DurationinMinutes>500 | table host, Message, DurationinMinutes | sort - DurationinMinutes Message=The Windows Defender Network Inspection Service service entered the running state. Message=The Windows Defender Service service entered the stopped state. Message=The Windows Defender Network Inspection Service service entered the stopped state. OpCode=The operation completed successfully. TaskCategory=The operation completed successfully. SourceName=Microsoft-Windows-Service Control Manager ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |