Forum Discussion

Mali_Stane's avatar
Mali_Stane
Copper Contributor
Feb 27, 2024

Azure monitor - prevent alarm on service restart

Hi,

A simple script is used, which works in the event that the service stops or that the service stops and starts.

Is there a possibility, or how to make a query so that the alarm is not triggered if the service is restarted and the restart take lets  say, 1 minute.

I don't mean maintenance here, because it can be done randomly when someone applied something…

 


Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "**********************"
| where RenderedDescription contains "The Windows Search service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Windows_Service_State

  • Mali_Stane 

     

    You can look to check the time difference between the states, something like this?

    Event
    | where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
    | where Computer == "--------------"
    | where RenderedDescription contains "---------- service entered"
    | parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
    | sort by TimeGenerated asc
    | project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
    | where diffinMinutes > 1

     

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    Mali_Stane 

     

    You can look to check the time difference between the states, something like this?

    Event
    | where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
    | where Computer == "--------------"
    | where RenderedDescription contains "---------- service entered"
    | parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
    | sort by TimeGenerated asc
    | project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
    | where diffinMinutes > 1

     

Resources