Forum Discussion
Need query for Getting the Status of a particular app pool in IIS
Ah ok, so this is for an Alert. in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.
I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?). I only have 5186 events, so don't know the right IDs.
I then created value for the output = 1 (success). So you can now tell the Alert to fire when the value is > zero.
Event //| where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | where RenderedDescription has "shutdown " and EventID =="5186" | extend AggregatedValue =1 //| summarize by AppPoolName, EventID, RenderedDescription, Computer
Mock Alert config. Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.
Ah ok, so this is for an Alert. in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.
I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?). I only have 5186 events, so don't know the right IDs.
I then created value for the output = 1 (success). So you can now tell the Alert to fire when the value is > zero.
Event //| where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | where RenderedDescription has "shutdown " and EventID =="5186" | extend AggregatedValue =1 //| summarize by AppPoolName, EventID, RenderedDescription, Computer
Mock Alert config. Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.
CliveWatson Thanks for helping me with this...i see that you got this working with rendered description as "shutdown" ....one thing i am noticing is i dont see any entries with shutdown ...but i see with rendered description "has requested a recycle". I have set the alert with this description...but looks like the user needs to know when it stopped and started instead of recycle. Need to check more on this.
RCDevops777 I have also came across the same situation. Did you figure out stopped or started of IIS service?
Sounds like we are nearly done. I did mention I used 'Shutdown' as a test bit of text.
Hopefully you'll be able to spot a real "stopped" event soon, and get the real EventID # and/or correct text
:-)
