Crashes query help

Copper Contributor

Hi Team, 

 

I trying to write a query that checks for crashes. I was told to use the Event table and look for below

where EventLog == "Application" 
where Source in (".NET Runtime")
 
and in the ServiceFabricOperationalEvent table look for:
| where EventMessage contains "UnexpectedTermination=true"
 
I am struggling to create a join query between the 2 tables. can someone please help write this query. its not working currently :(
 
Thanks for any help.
1 Reply

@Gk1981 

 

Both Schema items have a Computer column - I don't know how far you have got, but try this:

 

ServiceFabricOperationalEvent 
| where EventMessage contains "UnexpectedTermination=true"
| join (
    Event
    | where EventLog == "Application" 
    //| where Source == ".NET Runtime"
) on Computer 
| project EventLog , Computer

 

This is a working example (I don't have the Fabric data), so used Perf as an example

Go to Log Analytics and run query

Computer CounterName EventLog count_
AmberIgniteDemo % User Time Application 3