Forum Discussion

Mali_Stane's avatar
Mali_Stane
Copper Contributor
Feb 27, 2024
Solved

Azure monitor - prevent alarm on service restart

Hi, A simple script is used, which works in the event that the service stops or that the service stops and starts. Is there a possibility, or how to make a query so that the alarm is not triggered ...
Azure monitor alert
  • Clive_Watson's avatar
    Clive_Watson
    Feb 27, 2024

    Mali_Stane 

     

    You can look to check the time difference between the states, something like this?

    Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "--------------"
| where RenderedDescription contains "---------- service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated asc
| project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
| where diffinMinutes > 1

     

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Feb 27, 2024

Mali_Stane 

 

You can look to check the time difference between the states, something like this?

Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "--------------"
| where RenderedDescription contains "---------- service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated asc
| project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
| where diffinMinutes > 1

 

Mali_Stane's avatar
Mali_Stane
Copper Contributor
Feb 28, 2024
Thank you,
I will create a logic around it..

Resources