Forum Discussion
Arslan11
Jun 11, 2020Brass Contributor
Help with making the query work
ConfigurationChange
| where ConfigChangeType == "WindowsServices"
and SvcState == "Stopped"
and (
Computer has "NH-P2PAPP01.networkhg.org.uk"
or Computer has “NET-P2PLIVEAPP1.networkhg.org.uk"
or Computer has “NET-P2PTESTAPP.networkhg.org.uk”
)
and (
SvcDisplayName == "Integra eSeries FINPROD"
or SvcDisplayName == "Integra SPC FINPROD”
or SvcDisplayName == "Integra UAS FINPROD"
or SvcDisplayName == "Integra eSeries FINDEV"
or SvcDisplayName == "Integra SPC FINDEV"
or SvcDisplayName == "Integra UAS FINDEV"
or SvcDisplayName == "Integra eSeries Duet"
or SvcDisplayName == “Integra eSeries SPTDEV"
or SvcDisplayName == "Integra eSeries FINARCH"
)
I am not sure, why this alert is not being configured, I can see nothing wrong, can you please assist me with this.
The request had some invalid properties , it keeps on saying that, but I have another query set up like that without no problems.
- Meir_Mendelovich
Microsoft
Arslan11 ,
It seems to me that the query fail to parse because you were using the wrong double quote character. You used ” instead of "
There are many different double quote chars that some keyboards change automatically.
Other than the quote chars, I have slightly rewritten your query to make it more readable and easy to maintain:
ConfigurationChange| whereConfigChangeType == "WindowsServices" andSvcState == "Stopped" andComputer has_any ("NH-P2PAPP01.networkhg.org.uk","NET-P2PLIVEAPP1.networkhg.org.uk","NET-P2PTESTAPP.networkhg.org.uk")and SvcDisplayName in ("Integra eSeries FINPROD","Integra SPC FINPROD","Integra UAS FINPROD","Integra eSeries FINDEV","Integra SPC FINDEV","Integra UAS FINDEV","Integra eSeries Duet","Integra eSeries SPTDEV","Integra eSeries FINARCH")- Arslan11Brass Contributor
Meir_Mendelovich Thanks, another query question to ask
Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk" and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
| summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"
| where Free_Space < 10How can I make this more readable , also make sure that one instance for that computer Is not being monitored instead of all
- CliveWatson
Microsoft
FYI, this was answered on this group: https://techcommunity.microsoft.com/t5/azure/assiatnce-with-kql-disk-space-high-alert/m-p/1468547#M5458