Last active
December 14, 2020 16:16
-
-
Save neilstuartcraig/5812674 to your computer and use it in GitHub Desktop.
Simple Splunk search to list IIS application pool recycles by application pool name, reason for recycle, host and time.
Updated to give more comprehensive app pool recycle Eventcode coverage (ref: http://technet.microsoft.com/en-us/library/cc735206(v=ws.10).aspx)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SourceName="Microsoft-Windows-WAS" host="*" | | |
| search recycle | | |
| rex field=Message "application pool '(?<appPool>\S*)'" | | |
| eval host=upper(host) | | |
| eval reason=case(EventCode=5074, "Worker process reached processing time limit", EventCode=5075, "Worker process reached processing request limit", EventCode=5076, "Scheduled recycle", EventCode=5077, "Worker process reached processing virtual memory limit", EventCode=5078, "ISAPI reported a problem so app pool was recycled", EventCode=5079, "Manual recycle", EventCode=5080, "Config changes forced recycle", EventCode=5080, "Config changes forced recycle due to invalidated meta data", EventCode=5117, "Worker process reached processing private vytes (RAM) limit", EventCode=5186, "Worker process was shut down due to inactivity") | | |
| table _time host EventCode appPool reason Message |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's certainly possible to do this more efficiently (e.g. restricting to relevant index) but this should work straight off for most people.
NOTE: This is tested on splunk v5