Forum Discussion
Gopi K
May 17, 2021Copper Contributor
Log Analystics Query for VMProcess Stopped
Hi,
I need to setup the alert rule for specific VMProcess is stopped.
Earlier , we used set the query using ConfigurationChange Table .
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"
- CliveWatson
Microsoft
You probably only need to look at the last row/record that matches the ServiceName and State
ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"
| summarize arg_max(TimeGenerated,*)