Forum Discussion
Solved
Query for computer start events
Hi everyone,
I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.
I think I am on the right track in the Security Event ...
- Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Hi
Here we go
search in (SecurityEvent) EventID == 4624
| summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)
Thank you so much, Stanislav!
Is it also possible to query for the total amount of time each computer is used each day (ideally excluding idle time)? Is that somewhere in the Perf table?
- Hi Your definition of idle is too vague. You will have to provide some explanation what you mean by idle time. There are thousand of performance counters on Windows Server and what Log Analytics gathers depends on what you've configured as data sources.
Here's all of the information I have on the request for two queries.
1) Usage count of computers
Number of times a user turns the power on (from sleep or shutdown) and performs an interactive login
2) Usage time of computers
The time (period) that a computer is unlocked and interactively logged on (excluding idle time if possible)
We can skip the idle time if that's difficult. Thanks so much! BTW, is there a list of these performance counters somewhere? Is this the right area?
https://msdn.microsoft.com/en-us/library/windows/desktop/aa373083(v=vs.85).aspx
