Detect OS Service status change in DQL

Fer_henrique · ‎10 Nov 2025

Hello community,

I am building a DQL query based on OS Services to monitor processes on a host. My goal is to identify when, within a 30‑minute interval, a service changes its status from running to stopped.

Here is the query I have so far:

timeseries from:now() -30m, by:{`dt.entity.os:service`, dt.osservice.status, dt.entity.host}, count_availability = count(dt.osservice.availability)
| filter dt.entity.host == "HOST-99678FB7C13FBC95"
| lookup [ fetch `dt.entity.os:service` ], sourceField: `dt.entity.os:service`,
lookupField: id,
fields: { `Service Name` = entity.name }
| fieldsAdd current_status = if(dt.osservice.status == "stopped", "stopped", else:Null)
| fieldsAdd previous_status = if(isNotNull(current_status), "running", else:Null)
| fields `Service Name`, previous_status, current_status, dt.entity.host

Is there a way in DQL to create a condition that compares the current status with the previous status, so I can specifically detect the transition from running → stopped within this 30‑minute window?

t_pawlak · ‎11 Nov 2025

Hi,
The reliable way to capture a running → stopped transition in the last 30 minutes is to use events/problems for OS Services (raised when a service stops), filtered to the target host.
After that you can use this DQL:

fetch events
| filter timestamp >= now()-30m
| filter event.kind == "DAVIS_PROBLEM"
| filter contains(lower(event.title), "service")
| filter contains(lower(event.title), "stopped")
| expand svc = affectedEntities
| filter svc.entityType == "OS_SERVICE"
| expand h = affectedEntities
| filter h.entityType == "HOST" AND h.entityId == "HOST-99678FB7C13FBC95"
| fields svc.displayName, svc.entityId, event.start, event.end, event.status, event.title

This returns OS services on HOST that stopped in the last 30 minutes — i.e., the actual running → stopped transitions.