SOLVED
Home

Automation to start/stop on conditions

%3CLINGO-SUB%20id%3D%22lingo-sub-148339%22%20slang%3D%22en-US%22%3EAutomation%20to%20start%2Fstop%20on%20conditions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EI'm%20trying%20to%20perform%20an%20OMS%20automation%20that%20works%20on%20the%20following%20conditions%3A%3C%2FP%3E%0A%3CTABLE%20width%3D%22379%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22379%22%3E%3CP%3E%3CSTRONG%3EAutomatically%20%3C%2FSTRONG%3Ebrought%20online%20when%20certain%20nodes%20reach%20one%20of%20the%20following%20resource%20utilization%20levels%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMemory%2085%25%20for%20a%202hr%20duration%3C%2FSTRONG%3E%20(5min%20sampling%20periods)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%220%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22379%22%3E%3CP%3EOR%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%220%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20rowspan%3D%222%22%20width%3D%22379%22%3E%3CP%3E%3CSTRONG%3ECPU%2070%25%20for%20a%2015min%20duration%3C%2FSTRONG%3E%20(5%20minute%20sampling%20periods)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENodes%20brought%20up%20dynamically%20will%20be%20%3CSTRONG%3Eautomatically%20shutdown%20at%2011%3A00pm%20%3C%2FSTRONG%3EIF%20the%20following%20resource%20allocations%20are%20met%3A%20%3CSTRONG%3EMemory%20is%20%26lt%3B%2085%25%20Utilization%20OR%20CPU%20%26lt%3B%2070%25%20utilization.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%220%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20for%20the%20cpu%20and%2For%20memory%20query%20condition%20I%20should%20create%202%20queries%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPerf%20%7C%20where%20(CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%20or%20CounterName%20%3D%3D%20%22%25%20Used%20Memory%22)%3C%2FP%3E%0A%3CP%3E%7C%20where%20CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%7C%20summarize%26nbsp%3BAverageRAM%26nbsp%3B%3D%20avg(CounterValue)%26nbsp%3B%20by%20Computer%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bwhere%20AverageRAM%20%26gt%3B%2085%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPerf%3CBR%20%2F%3E%7C%20where%20CounterName%20%3D%3D%20%22%25%20Processor%20Time%22%3CBR%20%2F%3E%7C%20summarize%26nbsp%3BAverageRAM%26nbsp%3B%3D%20avg(CounterValue)%20by%20Computer%3CBR%20%2F%3E%7C%26nbsp%3Bwhere%20AverageRAM%20%26gt%3B%2070%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eand%20use%20the%20OMS%20workspace%20Alert%20to%20start%20a%20runbook%20with%20a%20simple%20Start-VM.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20i'm%20struggling%20with%20the%20following%3A%3C%2FP%3E%0A%3CP%3EFirst%2C%20I%20don't%20know%20how%20to%20add%20a%26nbsp%3B%3CSTRONG%3Ebetween%3C%2FSTRONG%3E%20condition%20with%20the%20time.%20I'm%20not%20sure%20about%20the%20syntax.%20I%20want%20to%20add%20a%26nbsp%3B%3CSTRONG%3Ebetween%26nbsp%3B%3C%2FSTRONG%3E2%20hours%20ago.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecond%2C%20I'm%20sure%20I%20should%20optimize%20and%20summarize%20both%20queries%20into%20one%20with%20one%26nbsp%3B%3CSTRONG%3Eor%26nbsp%3B%3C%2FSTRONG%3Econdition%2C%20but%2C%20again%2C%20i'm%20struggling%20with%20syntax%20and%20how%20should%20I%20engage%20the%20problem.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20last%20of%20all%3C%2FP%3E%0A%3CP%3ETo%20met%20the%20stop%20condition%20AND%20the%20time%20of%20the%20day%2C%20that%20should%20be%20something%20like%20%22where%20CPU%20%26lt%3B%2070%20or%20RAM%20%26lt%3B%2085%20AND%20time%2011%3A00%20pm%22%3CBR%20%2F%3EAm%20I%20right%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-148339%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149289%22%20slang%3D%22en-US%22%3ERe%3A%20Automation%20to%20start%2Fstop%20on%20conditions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149289%22%20slang%3D%22en-US%22%3E%3CP%3EOk%20I%20think%20I%20made%20really%20good%20progress%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ESo%20the%20start%20up%20OMS%20query%20should%20be%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETwo%20queries%20because%20both%20are%20not%20dependent%20on%20each%20other%2C%20one%20for%20CPU%20and%20one%20for%20RAM%3C%2FP%3E%0A%3CP%3EPerf%3C%2FP%3E%0A%3CP%3E%7C%20where%20CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%20and%20TimeGenerated%20%26gt%3B%20ago(2h)%3C%2FP%3E%0A%3CP%3E%7C%20where%20(%20Computer%20%3D%3D%20%22xxxx%22%20or%20Computer%20%3D%3D%20%22xxxx%22%20)%3C%2FP%3E%0A%3CP%3E%7C%20summarize%20average_committed_bytes_percent%20%3D%20avg(CounterValue)%20by%20Computer%3C%2FP%3E%0A%3CP%3E%7C%20where%20average_committed_bytes_percent%20%26gt%3B%2085%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20will%20trigger%20an%20alarm%20when%20more%20than%200%20results%20are%20present%3CBR%20%2F%3Eand%20that%20will%20trigger%20the%20automation%20account%20runbook%20with%20a%20simple%20start%20vms%20powershell%20script.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20the%20difficult%20part%20for%20me%20was%20the%20Stop%20VMs%20part%20because%20the%20request%20was%20to%20only%20activate%20it%20at%2011%3A00%20PM%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20what%20i%20did%20was%20use%20a%20where%20at%20the%20end%20of%20the%20query%20getting%20hourofday(now())%20%3D%3D%2023%3CBR%20%2F%3Eand%20I%20think%20that%20did%20it.%3CBR%20%2F%3EAm%20I%20correct%3F%3C%2FP%3E%0A%3CP%3ELet%20me%20here%20some%20opinions.%3C%2FP%3E%0A%3CP%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148973%22%20slang%3D%22en-US%22%3ERe%3A%20Automation%20to%20start%2Fstop%20on%20conditions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148973%22%20slang%3D%22en-US%22%3E%3CP%3EOk%20so%20for%20the%20time%20I%20understand%20i%20should%20use%20TimeGenerated%20ago(120m)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20two%20queries%20should%20look%20like%3A%3C%2FP%3E%0A%3CP%3EPerf%20%7C%20where%20(CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%20or%20CounterName%20%3D%3D%20%22%25%20Used%20Memory%22)%3C%2FP%3E%0A%3CP%3E%7C%20where%20CounterName%20%3D%3D%20%22%25%20Committed%20Bytes%20In%20Use%22%20and%20TimeGenerated%20%3D%26lt%3B%20ago(120m)%3C%2FP%3E%0A%3CP%3E%7C%20summarize%26nbsp%3BAverageRAM%26nbsp%3B%3D%20avg(CounterValue)%26nbsp%3B%20by%20Computer%3C%2FP%3E%0A%3CP%3E%7C%26nbsp%3Bwhere%20AverageRAM%20%26gt%3B%2085%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EPerf%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20where%20CounterName%20%3D%3D%20%22%25%20Processor%20Time%22%20and%20TimeGenerated%20%3D%26lt%3B%20ago(120m)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20summarize%26nbsp%3BAverageRAM%26nbsp%3B%3D%20avg(CounterValue)%20by%20Computer%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%20AverageRAM%20%26gt%3B%2070%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAm%20i%20correct%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dante Nahuel Ciai
Contributor

Hi

I'm trying to perform an OMS automation that works on the following conditions:

Automatically brought online when certain nodes reach one of the following resource utilization levels:

 

Memory 85% for a 2hr duration (5min sampling periods)

 

OR

 

CPU 70% for a 15min duration (5 minute sampling periods)

 

Nodes brought up dynamically will be automatically shutdown at 11:00pm IF the following resource allocations are met: Memory is < 85% Utilization OR CPU < 70% utilization.

 

 

I think for the cpu and/or memory query condition I should create 2 queries:

 

Perf | where (CounterName == "% Committed Bytes In Use" or CounterName == "% Used Memory")

| where CounterName == "% Committed Bytes In Use" 

| summarize AverageRAM = avg(CounterValue)  by Computer

| where AverageRAM > 85

 

Perf
| where CounterName == "% Processor Time"
| summarize AverageRAM = avg(CounterValue) by Computer
| where AverageRAM > 70

 

 

and use the OMS workspace Alert to start a runbook with a simple Start-VM.

 

However, i'm struggling with the following:

First, I don't know how to add a between condition with the time. I'm not sure about the syntax. I want to add a between 2 hours ago. 

 

Second, I'm sure I should optimize and summarize both queries into one with one or condition, but, again, i'm struggling with syntax and how should I engage the problem.

 

And last of all

To met the stop condition AND the time of the day, that should be something like "where CPU < 70 or RAM < 85 AND time 11:00 pm"
Am I right?

 

2 Replies
Solution

Ok so for the time I understand i should use TimeGenerated ago(120m)

 

So the two queries should look like:

Perf | where (CounterName == "% Committed Bytes In Use" or CounterName == "% Used Memory")

| where CounterName == "% Committed Bytes In Use" and TimeGenerated =< ago(120m)

| summarize AverageRAM = avg(CounterValue)  by Computer

| where AverageRAM > 85

 

Perf
| where CounterName == "% Processor Time" and TimeGenerated =< ago(120m)
| summarize AverageRAM = avg(CounterValue) by Computer
| where AverageRAM > 70

 

Am i correct?

Ok I think I made really good progress


So the start up OMS query should be like this:

 

Two queries because both are not dependent on each other, one for CPU and one for RAM

Perf

| where CounterName == "% Committed Bytes In Use" and TimeGenerated > ago(2h)

| where ( Computer == "xxxx" or Computer == "xxxx" )

| summarize average_committed_bytes_percent = avg(CounterValue) by Computer

| where average_committed_bytes_percent > 85

 

That will trigger an alarm when more than 0 results are present
and that will trigger the automation account runbook with a simple start vms powershell script.

 

 

Now the difficult part for me was the Stop VMs part because the request was to only activate it at 11:00 PM

 

So what i did was use a where at the end of the query getting hourofday(now()) == 23
and I think that did it.
Am I correct?

Let me here some opinions.

Best regards

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies