Forum Discussion

Khushal Jobanputra's avatar
Khushal Jobanputra
Copper Contributor
Aug 09, 2018
Solved

Query for finding computers with % processor time above 50 when a security event is occuring

This is my first time working with azure log analytics and I wanted some feedback on if my approach to my data request is correct. I need computers which have % processor time above 50 which also ha...
Azure Log Analytics
azure monitor
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Aug 09, 2018

    Hi,

    I think what you are trying to achieve is the query below:

     

    let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

    Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

Patrick Naughton's avatar
Patrick Naughton
Brass Contributor
Aug 09, 2018

the problem is you're averaging processor time over the whole time range (24h).  did you want to know the average processor time in some time window around when the security event occurred?

 

 

  • Khushal Jobanputra's avatar
    Khushal Jobanputra
    Copper Contributor
    Aug 09, 2018

    I see what you saying. Yes, I was looking to get results for only computers that had average % processor time above 50 when there is also a security event occuring. But i'm still wondering how I would go about doing that.

    • Stanislav_Zhelyazkov's avatar
      Stanislav_Zhelyazkov
      MVP
      Aug 09, 2018

      Hi,

      I think what you are trying to achieve is the query below:

       

      let ComputersWithSecurityEvents = SecurityEvent
| where TimeGenerated > ago(24h) | distinct Computer;
Perf
| where Computer in (ComputersWithSecurityEvents)
| where TimeGenerated > ago(24h)
| where CounterName == "% Processor Time" and InstanceName == "_Total"
| summarize AggregatedValue = avg(CounterValue) by Computer
| where AggregatedValue > 50

      Let me know if this is what you wanted to achieve. I've put the Computers with security events into separate table and I am only taking the Computer Names from there and I match them to the performance query. I've also corrected your time window as you were using < instead of >. With this query it will get the data for the last 24 hours from both performance and security.

      • Khushal Jobanputra's avatar
        Khushal Jobanputra
        Copper Contributor
        Aug 09, 2018
        Thank you so much Stanislav and Patrick. This is exactly what I was looking for. This really helps.