Forum Discussion
Last Update
We use the Windows Analytics modules, therefore do not have any agents (yet). All of our Data relies on Windows Telemetry. Is there any way to list machines that have not uploaded telemetry data in a certain number of days?
Hi
You can use the same logic like Heartbeat query for not reporting Computers. Of course some things needs to be changed. For example:
Heartbeat | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(15m)
For the Heartbeat we are looking at data for the last 7 days and check for computers that hasn't reported in the last 15 minutes:
For Windows Analytics module it could be:
WaaSDeploymentStatus | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(2d)
It is best to check against Table that all computers report on certain intervals. I am not sure which table is that Windows Analytics but feel free to suggest if there is a better one. Here we can look for machines that haven't reported for 2 days. As Windows Analytics is send on bigger intervals than Heartbeat you will need to accommodate to that.
Hope this helps.
5 Replies
For Upgrade Readiness, you can use UAComputer.LastScan. So, for example, a query like this might give you what you are looking for:
UAComputer | where TimeGenerated==toscalar(UAComputer | summarize max (TimeGenerated)) | summarize count() by LastScan
For more information on the Windows Analytics schema and sample queries, see https://techcommunity.microsoft.com/t5/Windows-Analytics-resources/Windows-Analytics-Extensibility/m-p/176068#M2
Marc Shepard Is there any way to refine this to only show machines that haven't reported data in greater than 10 days? If possible I would like to use this to create an alert.
let snapShot = toscalar(UAComputer | summarize max(TimeGenerated));
search in (UAComputer) TimeGenerated==snapShot and (LastScan < now() - time(10))
Hi
You can use the same logic like Heartbeat query for not reporting Computers. Of course some things needs to be changed. For example:
Heartbeat | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(15m)
For the Heartbeat we are looking at data for the last 7 days and check for computers that hasn't reported in the last 15 minutes:
For Windows Analytics module it could be:
WaaSDeploymentStatus | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(2d)
It is best to check against Table that all computers report on certain intervals. I am not sure which table is that Windows Analytics but feel free to suggest if there is a better one. Here we can look for machines that haven't reported for 2 days. As Windows Analytics is send on bigger intervals than Heartbeat you will need to accommodate to that.
Hope this helps.
