Forum Discussion
how can I create query monitor logs that will alert if the vm has restarted 4 times within an hour?
how can I create query monitor logs that will alert if the vm has restarted 4 times within an hour?
4 Replies
- There are two approaches (maybe more).
1. Check the Heartbeat tables for four periods where there is no data sent. However that is only really confirming the agent isn't sending...there are lots of examples
2. Look at the Windows Events for the eventids that appear when a machine starts ans count these...this will need you to collect that data with a DCR or MMA setting- I'm thinking of doing it with heartbeats but I don't know how to create that kind of query. how can I create such a query that monitors something that doesn't happen 4 times within an hour?
Sorry, I'm a beginner and I don't really know where to read more on the subject.Something like this:
Heartbeat | where TimeGenerated > ago(1h) | summarize dcount(Computer) by Computer, bin(TimeGenerated,15m) | summarize sum(dcount_Computer) by Computer | where sum_dcount_Computer < 4Go to Log Analytics and run query
These are the computers that didn't have at least 4 heartbeats in the past 1hr - remember this is only an indicator that the VM re-started, it could also show false scenarios like agent failure or other reasonsComputer sum_dcount_ComputerAppFE00008ZW 1 AppFE00008ZX 1 AppFE00008ZQ 2 AppFE00008ZS 2 AppFE00008ZT 2 AppFE00008ZR 1
