Forum Discussion

Copper Contributor

Jun 10, 2020

Azure monitoring Kusto query

Perf | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.o...

monitoring

-Akos-

Copper Contributor

Jun 11, 2020

Arslan11 You put Computer != "NH-E2016-01.networkhg.org.uk" which would avoid this computer completely no matter what you put behind it, I think.

Also, you can create a group in log analytics (go to saved searches, there you can create a search as a group). Eg this is one group I have for servers that I want Critical patches to run upon in another group called EuropeServers:

Heartbeat

| where Computer !in (EuropeNonCriticalPatch) and Computer in (EuropeServers)

| distinct Computer

And in the EuropeNonCriticalPatch I have things like:

search "Heartbeat"
| where (Computer == "computerA" or Computer == "computerB" or Computer == "computerC" or Computer == "computerD")
| distinct Computer

So you could create something similar in your case.

CliveWatson

Former Employee

Jun 11, 2020

-Akos-

Some other ideas, I prefer to reduce the amount of "or"'s and replace with an "in" or "!in"

search "Heartbeat"
| where Computer in ("computerA","computerB","computerC" ,"computerD")
| distinct Computer

let computerList = dynamic(["computerA","computerB","computerC" ,"computerD"]);
search "Heartbeat"
| where Computer in (computerList)
| distinct Computer

FYI,
Home - Azure - Azure Log Analytics (in another forum to use on this platform for KQL help)

Arslan11
Copper Contributor
Jun 11, 2020
CliveWatson thanks my question towards, how can avoid one instance name not be monitored on a server instead of avoiding all the instance name when using the language specified below

and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E"