Forum Discussion

Matasiete's avatar
Matasiete
Copper Contributor
Jan 17, 2019

Azure "conditional" searches in Log Analitycs

Hi:   This is my situation. I have a scheduled task writing a keepalive event in the registry each 15 minutes in several Windows servers.   I can trace them (or any other pointing to a problem) w...
azure monitor
Query Language
Matasiete's avatar
Matasiete
Copper Contributor
Jan 18, 2019

Thanks for your swift answer.

 

It works but only partialy.

I have learnt that there is another problem, related to the usage o 

events_count=count()

as my task runs each 15 min, in an hour you get 4 events, perfect. But as it is meant to be a kind of "keep alive" if I disable the task "events_count=count()" instead of returning a 0 value for a particilar server makes the line not to appear and this way wouldn't trigger the alert. Is there any way to capture 0 results in "events_count=count()"?

 

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Jan 18, 2019

If I understand correctly you will need to reverse the logic than:

let LiveServers = Event
| where EventLog == "System"
| where Source == "MyEvtOrigin"                                             
| where TimeGenerated > now()-20m and TimeGenerated < now()-5m             
| summarize events_count=count() by Computer, EventID
| distinct Computer;
Heartbeat
| where TimeGenerated > now()-20m and TimeGenerated < now()-5m
| where OSType == 'Windows'
| where Computer notin (LiveServers)

 

The logic for the above query is:

- Find me all computers that have my live event for certain period and put them into table

- Find me all Windows computers that are producing heartbeat events and filter to show me those that are not in the above table

 

You will have to figure out the timings on your own. I usually restrict time only from a time in the past until now. Especially for alerts as there you specify the time frame in the alert properties.

Resources