Forum Discussion
how can I create query monitor logs that will alert if the vm has restarted 4 times within an hour?
how can I create query monitor logs that will alert if the vm has restarted 4 times within an hour?
I'm thinking of doing it with heartbeats but I don't know how to create that kind of query. how can I create such a query that monitors something that doesn't happen 4 times within an hour?
Sorry, I'm a beginner and I don't really know where to read more on the subject.
Sorry, I'm a beginner and I don't really know where to read more on the subject.
Something like this:
Heartbeat
| where TimeGenerated > ago(1h)
| summarize dcount(Computer) by Computer, bin(TimeGenerated,15m)
| summarize sum(dcount_Computer) by Computer
| where sum_dcount_Computer < 4
Go to Log Analytics and run query
These are the computers that didn't have at least 4 heartbeats in the past 1hr - remember this is only an indicator that the VM re-started, it could also show false scenarios like agent failure or other reasons
Computer sum_dcount_Computer
| AppFE00008ZW | 1 |
| AppFE00008ZX | 1 |
| AppFE00008ZQ | 2 |
| AppFE00008ZS | 2 |
| AppFE00008ZT | 2 |
| AppFE00008ZR | 1 |
- thanks a lot ❤️