Forum Discussion
Mali_Stane
Feb 27, 2024Copper Contributor
Azure monitor - prevent alarm on service restart
Hi,
A simple script is used, which works in the event that the service stops or that the service stops and starts.
Is there a possibility, or how to make a query so that the alarm is not triggered if the service is restarted and the restart take lets say, 1 minute.
I don't mean maintenance here, because it can be done randomly when someone applied something…
Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "**********************"
| where RenderedDescription contains "The Windows Search service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Windows_Service_State
You can look to check the time difference between the states, something like this?
Event | where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager' | where Computer == "--------------" | where RenderedDescription contains "---------- service entered" | parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" * | sort by TimeGenerated asc | project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated)) | where diffinMinutes > 1
- Clive_WatsonBronze Contributor
You can look to check the time difference between the states, something like this?
Event | where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager' | where Computer == "--------------" | where RenderedDescription contains "---------- service entered" | parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" * | sort by TimeGenerated asc | project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated)) | where diffinMinutes > 1
- Mali_StaneCopper ContributorThank you,
I will create a logic around it..