Forum Discussion
Availability on OMS
Sure. I tweaked it a bit to match what you ask for:
let start_time=startofday(datetime("2017-01-01")); let end_time=endofday(datetime("2017-01-31")); Heartbeat | where TimeGenerated > start_time and TimeGenerated < end_time | summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time), Computer | extend available_per_hour=iff(heartbeat_per_hour>0, true, false) | summarize total_available_hours=countif(available_per_hour==true) by Computer | extend total_number_of_buckets=round((end_time-start_time)/1h) | extend availability_rate=total_available_hours*100/total_number_of_bucketsThe first 2 lines define variables, set to the start and end time you mentioned.
Next, we use these variables to limit the query to that time range:
| where TimeGenerated > start_time and TimeGenerated < end_time
Then we count the heartbeats reported from each computer, in buckets (bins) of 1 hour, starting at the start time you define:
| summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time), Computer
Now we can see how many heartbeats were reported by each computer each hour. If the number is 0 we understand the computer was probably offline at that time.
We use a new column to mark if a computer was available or not each hour:
| extend available_per_hour=iff(heartbeat_per_hour>0, true, false)
and then count the number of hours each computer was indeed "alive":
| summarize total_available_hours=countif(available_per_hour==true) by Computer
Note that this way we give a little leeway for missing heartbeat reports each hour. Instead of expecting a report every 5 or 10 minutes, we only mark a computer as "unavailable" if we didn't get any report from it during a full hour.
At this point we get a number for each computer, something like this:
So we know each computer was alive 11 hours in the select time range. But what does it mean? how many hours were there altogether? is this 11 out of 11 hours (100% availability) or out of 110 hours (only 10% availability)?
Here's how we can calculate the total number of hours in the selected time range:
| extend total_number_of_buckets=round((end_time-start_time)/1h)+1
I admit it might not be the best calculation of buckets.. there is probably a better way but I can't think of it now..
finally we calculate the ratio between available hours and total hours:
| extend availability_rate=total_available_hours*100/total_number_of_buckets
and get this:
HTH,
Noa
This question for CliveWatsonNoa Kuperberg
I have used queries and in my workspace and got some discrepancies.
First, I used below one.
let start_time=startofday(datetime("2019-09-01 00:00:00"));
let end_time=endofday(datetime("2019-09-27 00:00:00"));
Heartbeat
| where TimeGenerated >= start_time and TimeGenerated <= end_time
| where dayofweek(TimeGenerated) >= 1d and dayofweek(TimeGenerated) <= 5d // Monday-Friday
| where hourofday(TimeGenerated) >= 7 and hourofday(TimeGenerated) <=17 // 7:00-17:59
| summarize heartbeat_per_1_minutes=count() by bin_at(TimeGenerated, 1m, start_time), Computer
| extend available_per_1_min=iff(heartbeat_per_1_minutes>0, true, false)
| summarize total_available_buckets=countif(available_per_1_min==true)
, total_unavailable_buckets=countif(available_per_1_min==false) by Computer
| extend total_number_of_buckets=round(total_available_buckets+total_unavailable_buckets)
| extend availability_rate=total_available_buckets*100/total_number_of_buckets
| where Computer == "vm83560609d9"
And got result like this: -
Now concern is why availability_rate for this VM is 100 for September 1st to 27th , when it is no longer available after few days.
And what is total number of bucket and total unavailable bucket?
And on the other hand when i used second query, below one: -
let start_time=startofday(datetime("2019-09-01"));
let end_time=endofday(datetime("2019-09-27"));
Heartbeat
| where TimeGenerated > start_time and TimeGenerated < end_time
| summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time), Computer
| extend available_per_hour=iff(heartbeat_per_hour>0, true, false)
| summarize total_available_hours=countif(available_per_hour==true) by Computer
| extend total_number_of_buckets=round((end_time-start_time)/1h)
| extend availability_rate=total_available_hours*100/total_number_of_buckets
| where Computer == "vm83560609d9"
Seems, I am getting right results: -
And in this section, why total number of bucket is too high (648). Same question again what is it?
And total number hours means "the availability of system", if I am not wrong.
Thanks in advance for the help.
MicrosoftYou're right, there is a bug in this query.
I think this new query is the most precise one, taking into account off-hours as needed (e.g. using only work day hours) and easy to change from an hourly-based to a minute-by-minute calculation (change the grain in the make-series command from 1h to 1d). In the below query, total_buckets is the total number of buckets in the time range (if you use 1h, it's the number of hours, if you use 1m, it's the number of minutes etc.) and available_in_buckets is the number of buckets during which the vm sent at least 1 heartbeat.
let start_time=startofday(datetime("2019-10-01")); // UTC
let end_time=now();
Heartbeat
| make-series heartbeats_per_bucket=count() default=0 on TimeGenerated from start_time to end_time step 1h by Computer
| mv-expand heartbeats_per_bucket, TimeGenerated
| project BucketTimeGenerated=todatetime(TimeGenerated), Computer, heartbeats_per_bucket
| where BucketTimeGenerated >= start_time and BucketTimeGenerated <= end_time
| where dayofweek(BucketTimeGenerated) >= 1d and dayofweek(BucketTimeGenerated) <= 5d // Monday-Friday
| where hourofday(BucketTimeGenerated) >= 7 and hourofday(BucketTimeGenerated) <=17 // 7:00-17:59
| summarize total_buckets=count(), available_in_buckets=countif(heartbeats_per_bucket>0) by Computer
| project Computer, availability_rate=available_in_buckets*100/total_buckets
Thanks Clive,
I will explain what i am trying to find
1. Finding creation Time/Date for a list of Azure VMs
2. Find the availability of those VMs from the date of creation if the log is overwritten we will consider the available logs
3. Finding a way to get these results in a report resource group wise/ Windows machines / Linux machines
Do we already have a query to get this info by any chance?
Do you mean the last query above? Do you mean creation time of the computer (we'd only see that if you keep the logs from that time and its less than two years - max retention value in Log Analytics)
let start_time=startofday(ago(360d)); // UTC let end_time=now(); Heartbeat | make-series heartbeats_per_bucket=count() default=0 on TimeGenerated from start_time to end_time step 1h by Computer | mv-expand heartbeats_per_bucket, TimeGenerated | project BucketTimeGenerated=todatetime(TimeGenerated), Computer, heartbeats_per_bucket | where BucketTimeGenerated >= start_time and BucketTimeGenerated <= end_time | where dayofweek(BucketTimeGenerated) >= 1d and dayofweek(BucketTimeGenerated) <= 5d // Monday-Friday | where hourofday(BucketTimeGenerated) >= 7 and hourofday(BucketTimeGenerated) <=17 // 7:00-17:59 | summarize total_buckets=count(), available_in_buckets=countif(heartbeats_per_bucket>0), min(BucketTimeGenerated), max(BucketTimeGenerated) by Computer | project Computer, availability_rate=available_in_buckets*100/total_bucketsYou can adjust line #1 to go back a number of days (above I show 1 year (365days))
Hi Guys,
I wanted to take a report for a list of Azure VMs the 24/7 availability report from the date of creation,
Can you please tweak the script and help me to get the report?
- Noa Kuperberg
SatyaParida Windows events are logged in the Event table, as far as I know, but I am not familiar with the data reported by each service and application to create the query you ask for. If you have more information on the logged data I can help with the query syntax.
SatyaParidaNoa Kuperberg Just curious if there is a way to find/calculate any windows service availability for a specific period using OMS query?
