Forum Discussion

Gopi K's avatar
Gopi K
Copper Contributor
May 17, 2021

Log Analystics Query for VMProcess Stopped

Hi, 

 

I need to setup the alert rule for specific VMProcess is stopped.

 

Earlier , we used  set the query using ConfigurationChange Table . 

 

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"

  • You probably only need to look at the last row/record that matches the ServiceName and State

    ConfigurationChange
    | where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
    | sort by TimeGenerated desc
    | where Computer == "PRODWIN1234"
    | where SvcDisplayName == "WMI Performance Adapter"
    | summarize arg_max(TimeGenerated,*)

Resources