Forum Discussion
Need query for Getting the Status of a particular app pool in IIS
Ah ok, so this is for an Alert. in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.
I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?). I only have 5186 events, so don't know the right IDs.
I then created value for the output = 1 (success). So you can now tell the Alert to fire when the value is > zero.
Event //| where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | where RenderedDescription has "shutdown " and EventID =="5186" | extend AggregatedValue =1 //| summarize by AppPoolName, EventID, RenderedDescription, Computer
Mock Alert config. Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.
this would show the time of the event?
Event | where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | summarize by TimeGenerated, AppPoolName, EventID, RenderedDescription, Computer
I dont need the time...basically trying to create an log search alert ...so that we know when the app pool stopped or crashed.