Forum Discussion
Last Update
Hi
You can use the same logic like Heartbeat query for not reporting Computers. Of course some things needs to be changed. For example:
Heartbeat | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(15m)
For the Heartbeat we are looking at data for the last 7 days and check for computers that hasn't reported in the last 15 minutes:
For Windows Analytics module it could be:
WaaSDeploymentStatus | where TimeGenerated > ago(7d) | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(2d)
It is best to check against Table that all computers report on certain intervals. I am not sure which table is that Windows Analytics but feel free to suggest if there is a better one. Here we can look for machines that haven't reported for 2 days. As Windows Analytics is send on bigger intervals than Heartbeat you will need to accommodate to that.
Hope this helps.
let snapShot = toscalar(UAComputer | summarize max(TimeGenerated));
search in (UAComputer) TimeGenerated==snapShot and (LastScan < now() - time(10))
Found this in the OMS FAQ:
How can I be notified when data collection stops?
A: Use the steps described in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-creating#create-an-alert-rule to be notified when data collection stops.
When creating the alert for when data collection stops, set the:
- Name to Data collection stopped
- Severity to Warning
- Search query to Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(15m)
- Time window to 30 minutes.
- Alert frequency to every ten minutes.
- Generate alert based on to be number of results
- Number of results to be Greater than 0
This alert will fire when the query returns results only if you have heartbeat missing for more than 15 minutes. Use the steps described in https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-alerts-actions configure an e-mail, webhook, or runbook action for the alert rule.