Forum Discussion
How to get last status of the service in Event Logs without selecting TimeRange
- This would return the last row of data - using arg_max()
Event
| where EventLog == 'System' and EventID == 7036
| summarize arg_max(TimeGenerated,*)
Event
| where EventLog == 'System' and EventID == 7036
| summarize arg_max(TimeGenerated,*)
CliveWatson Thanks for the reply.
I have modified my query to below one
Event
| where TimeGenerated < ago(3m) // last 3 months
| where Computer == '' // VM instance name
| where EventLog == 'System' and EventID == 7036 and Source == 'cisco' and RenderedDescription startswith_cs 'cisco'
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| project TimeGenerated, Computer, Windows_Service_Name, Windows_Service_State
| summarize arg_max(TimeGenerated, *) by Windows_Service_Name
| sort by TimeGenerated descIf this query is executed without '| where TimeGenerated < ago(3m) ' it by default takes 24 hours.
So modified query to check status for last 3 months . Its working as expected in query explorer.
But when this is pinned to dashboard , it's not retuning the result as it still takes the TimeRange from the dashboard and when i cannot override to check for last 3 months .
How to display this result in dashboard ?
Make sure you "set in Query" in the Dashboard. Also 3m == 3 minutes, so you would need 90d for 3months The timespan data type - Azure Data Explorer | Microsoft Docs.
When using ago() ago() - Azure Data Explorer | Microsoft Docs
use ">" rather than "<"CliveWatson , Have modified my query as u suggested.
In dashboard , I don't have similar option like yours. when I click that icon it opens edit query box like the image below and there's not much option.
