Forum Discussion
Solved
Show only last status of a service
I am trying to write a query that shows me on which VM a service is not running. The basic framework is quite easy to find on the net: Event | where TimeGenerated >ago(1d) | where EventLog == ...
- You can use arg_max() - simplified example:
Event
| where TimeGenerated >ago(1d)
| where EventLog == "System"
| summarize arg_max(TimeGenerated, EventID, Computer)
You can use arg_max() - simplified example:
Event
| where TimeGenerated >ago(1d)
| where EventLog == "System"
| summarize arg_max(TimeGenerated, EventID, Computer)
Event
| where TimeGenerated >ago(1d)
| where EventLog == "System"
| summarize arg_max(TimeGenerated, EventID, Computer)