Forum Discussion
Solved
Heartbeat query, show negative results
Greetings Community, I'm trying to formulate a query whereby I provide a list of servers to check for a heartbeat in the last 6 hours, but I only want to return the servers THAT DO NOT HAVE A REC...
Have a look at this example: Go to Log Analytics and Run Query
You will need to add in your own myList values and make some other minor edits
// // I have filtered on Computers starting with "A" to make the list smaller - remove or edit as required // // First, generarte a list of all computers from Heartbeat table into an array let myServers = toscalar(Heartbeat | where Computer startswith "A" | distinct Computer | summarize make_set(Computer)); // Now define my list of computers as an array let myList = dynamic(["aFakeComputer","ad-primary-dc.contoso.com","ad-secondary-dc.contoso.com","fakeComputer"]); Heartbeat | where Computer startswith "A" | distinct Computer // compare the two arrays, show only values that are not in the 2nd array | project ComputersNotInHeatBeat = set_difference(myList, myServers) | distinct tostring(ComputersNotInHeatBeat)Results, look like this:
ComputersNotInHeatBeat ["aFakeComputer","fakeComputer"]
Meir_Mendelovich
Microsoft
MicrosoftHi,
The most performant way would be to utilize the built-in join operator in its anti flavors:
let MyCompList = datatable(Computer:string)
[
"SERVER123",
"SERVER456",
"SERVER789"
];
MyCompList
| join kind= leftanti (
Heartbeat | where TimeGenerated > ago(6h) | distinct Computer
) on Computer
Thanks,
Meir