We are trying to set up an alert for any of our servers that havent been restarted in 60 days or more. - just to keep a track of things.
At midnight windows will register Event 6013 in the system log and display the uptime in seconds.
I tried to get sumologic to look at these and tell me if any were greater than 5184000 seconds (60 days)
I came up with this but its doesnt seem to work at Sumologic cant parse the string.
_sourceCategory=OS/Windows 6013 | parse using public/windows/2008 | where event_id=" 6013" and "uptime" > 5184000
Can anyone help out or point me in the right direction?
Please sign in to leave a comment.