Forum Discussion

SebasL's avatar
SebasL
Copper Contributor
Feb 13, 2020
Solved

Group similar Process name in LogsAnalytics

Hi, I am looking for a query where I can get % Process CPU for specific Process. My main concern is that I would like to group some of them. For instance: "ZSAService", "ZSATunnel" and "ZSATray" so...
azure monitor
View Designer
  • CliveWatson's avatar
    CliveWatson
    Feb 13, 2020

    SebasL 

     

    If you wanted two groups (ZSA and non-ZSA) that would be:

     

     

    Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize Zscaler    = avgif(CounterValue, InstanceName startswith  "ZSA")
            ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA")
         by  bin(TimeGenerated, 1d)
| render timechart

     

    I'll need to think more about this, unless anyone else has an idea?

     

    Thanks 

     

CliveWatson's avatar
CliveWatson
Former Employee
Feb 13, 2020

SebasL 

 

If you wanted two groups (ZSA and non-ZSA) that would be:

 

 

Perf
| where Computer contains "sl2"
| where ObjectName == "Process" and CounterName == "% Processor Time"
| where (InstanceName contains "Sysmon" or  InstanceName contains "CSFalconSer"  or  InstanceName contains "ZSA" )
| summarize Zscaler    = avgif(CounterValue, InstanceName startswith  "ZSA")
            ,theOthers = avgif(CounterValue, InstanceName !startswith "ZSA")
         by  bin(TimeGenerated, 1d)
| render timechart

 

I'll need to think more about this, unless anyone else has an idea?

 

Thanks 

 

Resources