Forum Discussion

Brass Contributor

Apr 26, 2018

Solved

Last Update

We use the Windows Analytics modules, therefore do not have any agents (yet). All of our Data relies on Windows Telemetry. Is there any way to list machines that have not uploaded telemetry data in a...

azure monitor

solutions

Stanislav_Zhelyazkov
Apr 27, 2018
Hi

You can use the same logic like Heartbeat query for not reporting Computers. Of course some things needs to be changed. For example:

Heartbeat | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(15m)

For the Heartbeat we are looking at data for the last 7 days and check for computers that hasn't reported in the last 15 minutes:

For Windows Analytics module it could be:

WaaSDeploymentStatus | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(2d)

It is best to check against Table that all computers report on certain intervals. I am not sure which table is that Windows Analytics but feel free to suggest if there is a better one. Here we can look for machines that haven't reported for 2 days. As Windows Analytics is send on bigger intervals than Heartbeat you will need to accommodate to that.

Hope this helps.

Marc Shepard

Former Employee

May 04, 2018

For Upgrade Readiness, you can use UAComputer.LastScan. So, for example, a query like this might give you what you are looking for:

UAComputer | where TimeGenerated==toscalar(UAComputer | summarize max (TimeGenerated)) | summarize count() by LastScan

For more information on the Windows Analytics schema and sample queries, see https://techcommunity.microsoft.com/t5/Windows-Analytics-resources/Windows-Analytics-Extensibility/m-p/176068#M2

OrionWithrow

Brass Contributor

May 06, 2018

Marc Shepard Is there any way to refine this to only show machines that haven't reported data in greater than 10 days? If possible I would like to use this to create an alert.

Marc Shepard
Former Employee
May 18, 2018
let snapShot = toscalar(UAComputer | summarize max(TimeGenerated));
search in (UAComputer) TimeGenerated==snapShot and (LastScan < now() - time(10))
- OrionWithrow
  Brass Contributor
  May 22, 2018
  Found this in the OMS FAQ:
  
  How can I be notified when data collection stops?
  A: Use the steps described in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-creating#create-an-alert-rule to be notified when data collection stops.
  When creating the alert for when data collection stops, set the:
  Name to Data collection stopped
  Severity to Warning
  Search query to Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(15m)
  Time window to 30 minutes.
  Alert frequency to every ten minutes.
  Generate alert based on to be number of results
  Number of results to be Greater than 0
  This alert will fire when the query returns results only if you have heartbeat missing for more than 15 minutes. Use the steps described in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-actions configure an e-mail, webhook, or runbook action for the alert rule.