Forum Discussion

Arslan11's avatar
Arslan11
Brass Contributor
May 04, 2020

Machine not sedning pings

Kusto query  Heartbeat | where TimeGenerated > ago(24h) | where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk" | summarize LastCall = max(TimeGenerat...
Azure Log Analytics
azure monitor
CliveWatson's avatar
CliveWatson
Silver Contributor
May 04, 2020

Arslan11 

 

Look out for a Blog post on KQL and Time from me on the Sentinel blog, hopefully later this week.  Here we get just the "hours" from the TimeGenerated and use that to say, I only want this period of Hours between 07am and 22pm.  Please remove the "hour" column when you are happy this works as expected. 

 

Heartbeat
| where TimeGenerated > ago(1d)
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
| where LastCall < ago(10m)
| order by hour asc

   

  • Arslan11's avatar
    Arslan11
    Brass Contributor
    May 04, 2020

    CliveWatsonThanks, you mentioned to remove the hour column, if I will do that, then the hour between will not work, or you want me to still remove it

     

     

    Heartbeat
    | where TimeGenerated > ago(1d)
    | where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
    //| where Computer == "demo2"
    | extend hour = datetime_part("hour", TimeGenerated)
    | where hour between (07 .. 22)
    | summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
    | where LastCall < ago(10m)
    | order by hour asc

     

    • CliveWatson's avatar
      CliveWatson
      Silver Contributor
      May 04, 2020

      Arslan11 

       

      Sorry I meant from the Summarize line (you do need it until then), summarize becomes this 

       

      | summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

       

      I just removed the ", hour" from the end of the line.

      • Arslan11's avatar
        Arslan11
        Brass Contributor
        May 04, 2020

        CliveWatsonThanks, Heartbeat
        | where TimeGenerated > ago(1d)
        | where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
        | where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"
        | extend hour = datetime_part("hour", TimeGenerated)
        | where hour between (07 .. 22)
        | summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment,
        | where LastCall < ago(10m)
        | order by hour asc

         

        I am getting, after I removed the hour, do I need to put the hour back ?

        Query could not be parsed at '|' on line [8,0]

        Token: |
        Line: 8
        Position: 0

         

Resources