Solved: OS Service Availability showing no records

Troy · ‎11 Jul 2025

Im trying to retrieve OS Services in our environment - using the example DQL from the documentation: here
I get no results.

Our OS Service monitoring is working as our monitors are alerting correctly but it would be extremely helpful if i could use DQL to find all running services on a host and their status.

using the following DQL I am able to retrieve Service Display names on a host but I cannot / dont know how to get the actual status of the service and the service name, not just the Display name, I would like to get the actual name of the windows service aswell.

fetch `dt.entity.os:service`
| fieldsAdd dt.entity.host=runs_on[dt.entity.host]
| fieldsAdd host_name = entityName(dt.entity.host) // Add the host name
| summarize host_names = collectArray(host_name), by:{id, entity.name}

Is there some setting to make dt.osservice.availabilty gather data? or am I missing something here?

Emm4nuel · ‎11 Jul 2025

Hi Troy,

If you are trying to retrieve OS Services in your environment use this query:

fetch dt.entity.host
| fieldsAdd osServices, state
| expand osServices
| parse osServices, """LD 'dt.osservice.name=' LD:"OS Service" ',' LD 'dt.osservice.status=' LD:Status ','"""
| fields `Host Name` = entity.name, id, state, `OS Service`, Status

Let me know if this helps you!

Troy · ‎11 Jul 2025

Works beautifully thank you!