Machine not sedning pings

%3CLINGO-SUB%20id%3D%22lingo-sub-1357540%22%20slang%3D%22en-US%22%3EMachine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357540%22%20slang%3D%22en-US%22%3E%3CP%3EKusto%20query%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20assistance%20with%20this%20query%2C%20I%20don't%20want%20to%20be%20reported%20for%20the%20following%20servers%20in%20not%20sending%20pings%2C%20those%20severs%20get%20shutdown%20at%2010%3A00pm%20UK%20time%20and%20starts%20at%206%3A00am%20uk%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20want%20those%20servers%20to%20be%20reported%20from%2010%3A00pm%20to%206%3A00am%2C%20how%20can%20I%20amend%20my%20existing%20query%20and%20make%20this%20possible%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1357540%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358389%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358389%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELook%20out%20for%20a%20Blog%20post%20on%20KQL%20and%20Time%20from%20me%20on%20the%20Sentinel%20blog%2C%20hopefully%20later%20this%20week.%26nbsp%3B%20Here%20we%20get%20just%20the%20%22hours%22%20from%20the%20TimeGenerated%20and%20use%20that%20to%20say%2C%20I%20only%20want%20this%20period%20of%20Hours%20between%2007am%20and%2022pm.%26nbsp%3B%20Please%20remove%20the%20%22hour%22%20column%20when%20you%20are%20happy%20this%20works%20as%20expected.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%0A%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%0A%7C%20where%20hour%20between%20(07%20..%2022)%0A%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%0A%7C%20order%20by%20hour%20asc%20%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358469%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%2C%20you%20mentioned%20to%20remove%20the%20hour%20column%2C%20if%20I%20will%20do%20that%2C%20then%20the%20hour%20between%20will%20not%20work%2C%20or%20you%20want%20me%20to%20still%20remove%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%2F%2F%7C%20where%20Computer%20%3D%3D%20%22demo2%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3CBR%20%2F%3E%7C%20order%20by%20hour%20asc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358514%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358514%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20I%20meant%20from%20the%20Summarize%20line%20(you%20do%20need%20it%20until%20then)%2C%20summarize%20becomes%20this%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20%20language-cpp%22%3E%3CCODE%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20just%20removed%20the%20%22%3CSTRONG%3E%2C%20hour%3C%2FSTRONG%3E%22%20from%20the%20end%20of%20the%20line.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358535%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%2C%26nbsp%3BHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3CBR%20%2F%3E%7C%20order%20by%20hour%20asc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%2C%20after%20I%20removed%20the%20hour%2C%20do%20I%20need%20to%20put%20the%20hour%20back%20%3F%3C%2FP%3E%3CP%3EQuery%20could%20not%20be%20parsed%20at%20'%7C'%20on%20line%20%5B8%2C0%5D%3C%2FP%3E%3CP%3EToken%3A%20%7C%3CBR%20%2F%3ELine%3A%208%3CBR%20%2F%3EPosition%3A%200%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358573%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EI%20have%20amended%20by%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eremoved%20the%20hour%20from%20the%20last%20line%2C%20is%20that%20what%20you%20were%20asking%20for%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358594%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358594%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20correct%20syntax%2C%20it%20totally%20up%20to%20you%20to%20remove%20the%20%3CSTRONG%3EHour%3C%2FSTRONG%3E%20column%20(it's%20probably%20useful%20when%20building%2Ftesting%20the%20query%20but%20not%20after%20that)%3B%20your%20choice....%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20think%20it%20may%20be%20useful%20in%20the%20future%2C%20you%20could%20also%20comment%20it%20out%20rather%20than%20remove%20it%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ee.g.%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20max%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20ComputerEnvironment%20%3C%2FSPAN%3E%3CSTRONG%3E%2F%2F%2C%20hour%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358635%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3Ejust%20to%20have%20better%20understanding%20on%20my%20logic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhy%20is%20it%20important%20to%20have%20the%20hour%20column%2C%20is%20it%20for%20testing%20purposes%2C%20when%20you%20want%20to%20see%20%2C%20which%20machines%20are%20not%20pinging%20in%20that%20hour%20and%20it%20will%20show%20the%20machines%20that%20are%20switched%20off%2C%20when%20testing%20the%20query%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358740%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358740%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20for%20testing%2C%20we%20create%20it%20here%20(line%201%20below)%2C%20in%20line%202%20we%20use%20it%20to%20further%20filter%20the%20rows%20returned%20by%20the%20query%20-%20in%20this%20case%20those%20hours%20that%20start%20between%207am%20and%2022pm.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20that%20it%20isn't%20really%20needed%20in%20the%20display%20(optional).%26nbsp%3B%20I%20only%20added%20it%20to%20the%20%3CSTRONG%3Esummarise%3C%2FSTRONG%3E%20line%2C%20so%20I%20could%20check%20I'd%20done%20the%20query%20correctly.%26nbsp%3B%20%26nbsp%3BYou%20may%20like%20to%20keep%20it%2C%20to%20check%20I'm%20right%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20where%20hour%20between%20(07%20..%2022)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358906%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%20for%20the%20clarification%2C%20the%20query%20is%20working%20as%20expected%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThose%20machines%20turned%20off%20at%2010%3A00pm%20and%20I%20didn't%20get%20machine%20not%20sending%20pings%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20keep%20the%26nbsp%3B%3CSPAN%3Esummarise%20line%2C%20for%20my%20members%20of%20team%2C%20if%20they%20will%20run%20the%20query%20%2C%20they%20will%20be%20able%20to%20see%20other%20machines%20apart%20from%20the%20machines%20that%20we%20do%20not%20want%20to%20be%20monitored%20between%206%3A00%20am%20and%2010%3A00pm%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinal%20query%3C%2FP%3E%3CP%3E%3CSTRONG%3EHeartbeat%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-AAHW2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-ADAPPP-02.networkhg.org.uk%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20hour%20between%20(06%20..%2022)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359322%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359322%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20write%20the%20query%20like%20this%20(removing%20lots%20of%20the%20'and%20Computer%20%3D%3D')%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20uses%20IN%20and%20!IN%26nbsp%3B%20(in%2C%20and%20'not%20in')%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Finoperator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Finoperator%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%0A%7C%20where%20Computer%20!in%20(%22NH-CMVMAAZ.networkhg.org.uk%22%2C%22UAT-WVD-REL86-0.networkhg.org.uk%22)%0A%7C%20where%20Computer%20in%20(%22NET-CCWALLBOARD.networkhg.org.uk%22%2C%22NET-FS3.networkhg.org.uk%22%2C%22NET-GISAPP1.networkhg.org.uk%22%2C%22NET-GISSQL1.networkhg.org.uk%22%2C%22NET-OVUAT2.networkhg.org.uk%22%2C%22NET-P2PTESTAPP1.networkhg.org.uk%22)%0A%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%0A%7C%20where%20hour%20between%20(06%20..%2022)%0A%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%20%20%2F%2F%2C%20hour%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20great%20Resources%20to%20read%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20practise%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fbest-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fbest-practices%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EPrefer%20using%20case-sensitive%20operators%20when%20applicable%2C%20as%20they%20are%20more%20performant.%20For%20example%2C%20prefer%20using%26nbsp%3B%3CCODE%3E%3D%3D%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3E%3D~%3C%2FCODE%3E%2C%26nbsp%3B%3CCODE%3Ein%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3Ein~%3C%2FCODE%3E%2C%20and%26nbsp%3B%3CCODE%3Econtains_cs%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3Econtains%3C%2FCODE%3E%26nbsp%3B(but%20if%20you%20can%20avoid%26nbsp%3B%3CCODE%3Econtains%3C%2FCODE%3E%2F%3CCODE%3Econtains_cs%3C%2FCODE%3E%26nbsp%3Baltogether%20and%20use%26nbsp%3B%3CCODE%3Ehas%3C%2FCODE%3E%2F%3CCODE%3Ehas_cs%3C%2FCODE%3E%2C%20that's%20even%20better).%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-optimization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-optimization%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360483%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360483%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BI%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588692074767.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189028iE9869A8D4FBA1293%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588692074767.png%22%20alt%3D%22Arslan11_0-1588692074767.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361695%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361695%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363253%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20I%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363588%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363588%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20said%20you%20had%20reverted%2C%20to%20not%20suing%20the%20IN%20and%20!in%20so%20I%20didn't%20reply%20again.%20Is%20the%20original%20query%20not%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363856%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BI%20think%20the%20query%20isn't%20working%20properly%20because%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHeartbeat%26nbsp%3B%20%3C%2FSTRONG%3E%3CSTRONG%3Ehour%20to%20monitor%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20hour%20between%20(07%20..%2022)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBecause%20I%20was%20wondering%20it%20has%20been%20two%20days%20and%20I%20haven't%20recived%20a%20single%20alert%20for%20machine%20not%20sending%20pings.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EI%20run%20another%20query%20to%20see%2C%20if%20we%20had%20any%20machines%20that%20were%20not%20pinging%20and%20there%20is%20one%20at%208%3A00am%2C%20which%20I%20didn't%20got%20alert%20about%3C%2FSTRONG%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588775638318.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189485i1E8A2B2F8BEBAA84%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588775638318.png%22%20alt%3D%22Arslan11_0-1588775638318.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECan%20you%20please%20have%20a%20look%20at%20my%20query%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364073%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364073%22%20slang%3D%22en-US%22%3EThe%20screen%20shot%20shows%20two%20servers%2C%20one%20is%20at%208%3A56%20is%20that%20the%20one%2C%20you%20say%20is%208am%3F%20If%20the%20query%20is%20working%2C%20it%20may%20be%20the%20Alert%20that%20isn't%20setup%20right%3F%20Is%20this%20an%20Azure%20Monitor%20alert%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364366%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BNot%20an%20alert%2C%20just%20a%20query%20that%26nbsp%3B%20I%20run%20to%20see%20if%20there%20were%20any%20machines%20that%20weren't%20sending%20the%26nbsp%3B%20pings%20%2C%20and%20one%20machine%20came%20up%20at%20this%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588780305176.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189520i8081C6823E978349%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588780305176.png%22%20alt%3D%22Arslan11_0-1588780305176.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECan%20you%20please%20have%20a%20look%20at%20this%20query%20again%2C%20I%20still%20want%20to%20be%20alerted%20about%20other%20machines%20which%20is%20not%20sending%20the%20pings%2C%26nbsp%3B%20expect%20the%20one's%20which%20get's%20turn%20off%20at%2010%3A00%20pm%20and%20turn%20back%20on%20at%206%3A00%20am%20as%20shown%20in%20the%20query%20below%2C%20which%20you%20helped%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%20existing%20query%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-AAHW2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-ADAPPP-02.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-0.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-4.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(06%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364719%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20I'm%20understanding%20your%20requirements%20a%20bit%20more%20now.%26nbsp%3B%20This%20now%20does%20the%20work%20in%20two%20phases%2C%20the%20first%20part%20deals%20with%20the%20shutdown%20servers%20in%20the%20time%20windows%20you%20specified.%26nbsp%3B%20I%20then%20join%20those%20with%20all%20the%20other%20servers%2C%20to%20show%20the%20%3CSTRONG%3ElastCall%3C%2FSTRONG%3E%20for%20both%20(but%20none%20of%20the%20ones%20in%20the%20shutdown%20window).%26nbsp%3B%20%26nbsp%3BI%20that%20right%3F%26nbsp%3B%20Please%20test%20and%20adjust%20the%20KQL%20yourself%20to%20suit%20your%20expected%20outcome.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22rancher-node-1%22%2C%22rancher-node-2%22%2C%22rancher-node-3%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0A%20%20%20%20%20%20%20%20%20%20%20%20by%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%20%20%0A%7C%20join%20kind%3D%20fullouter%20%20%0A%20(%0A%20%20%20%20Heartbeat%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%20%20%20%20%7C%20where%20Computer%20!in%20(shutdownComputers)%0A%20%20%20%20%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A%20)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%20%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0A%20%20%20%20%20%20%20%20%20LastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA5VTTW%25252BbQBC9W%25252FJ%25252FmHICi9hxeojUyL1E%25252BZKi9NDcqipa2MGsC7tod7BN1R%25252FfAQys%25252ByWVAzBfvNn3HqsVVAUKhyCkBAGFcgQmg8bUFhzaPVoHOVqMgXLkNqPRgbDYhn1AuaAus3B5TdIc9AIMz2m1zWk%25252BK5BgKNyasqqp%25252FeQGZKNFqdLwS2CFThniQhuJF%25252BsgPk9c%25252FZp4H3yNbuaz1QpSozO17TbJeV9exQAe06KWeMIlYemxPcoGLq9vAICnrkXZV1HLrgZcvbo6VdeXFZcfkQcTFNThPHDzrmZiWqQTgITPPTvz2Q84tAzBqyrxATVaQVz%25252B2KObTIomFFsTrmUUwdQ9cAFKQ%25252FgbQVHb6OqyFFZ9R3gWjm5FUfCmwm7fSnEMz%25252BFikPwgTr1VjBoGLSFBfN4UQYJ0QNShx8xyORARAaOCdyXNuGUMblx4w9M2FQzin%25252BHT%25252Ff3z08td76DMmhIYfoSJg1YczpywOP4QxMN8FI9Ad3qvrNElapq4Uk4bwrKiJhyY6AiqrNlhShOX8ciUt3Cn4Ys5wM7wnpQb56k4ePygKO89zTfrlkwLdGp1Q9%25252BUlhvI6qIwHQ5XIOzJ8qzShv9nBn9iPMS7vzmi7%25252F6nK85NsYh8DfkDEf%25252BycMbLa64cJIogFbrlMxFJ0bBPQJUc7Xl3lcETbPkXaN3Vc4JHYh3Bc4RSWahcL9Gk6vC29pT2LObt78%25252BPEsfD2zo%25252Bk31igE83Cf4Hr%25252F4EW75M2t8EAAA%25253D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365027%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BI%20did%20query%20accroding%20to%20my%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20not%20working%2C%20please%20let%20me%20know%2C%20where%20I%20went%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%20shutdownComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22NET-CCWALLBOARD.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-FS3.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-GISAPP1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-GISSQL1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-OVUAT2.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-P2PTESTAPP1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20config%20the%20hours%20to%20exclude%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20startHour%20%3D%20%3C%2FSPAN%3E%3CSPAN%3E22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20endHour%20%3D%20%3C%2FSPAN%3E%3CSPAN%3E06%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHeartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20Get%20just%20the%20excluded%20Servers%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20in%20(shutdownComputers)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%3C%2FSPAN%3E%3CSPAN%3E%22hour%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%2C%20sComputer%20%3D%20strcat(%3C%2FSPAN%3E%3CSPAN%3E%22Computer%20in%20OFFLINE%20list%20from%20%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20startHour%2C%3C%2FSPAN%3E%3CSPAN%3E%22%20to%20%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20endHour%2C%3C%2FSPAN%3E%3CSPAN%3E%22%20%3A%22%3C%2FSPAN%3E%3CSPAN%3E%2CComputer)%2C%20ComputerEnvironment%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20isnotempty(LastCall)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%2C%20LastCall%2C%20sComputer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ejoin%3C%2FSPAN%3E%3CSPAN%3E%20kind%3D%20fullouter%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHeartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in%20(shutdownComputers)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E)%20onComputer%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%3D%20iif(isempty(%3C%2FSPAN%3E%3CSPAN%3E%22NH-CMVMAAZ.networkhg.org)%2C)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ELastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365041%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365041%22%20slang%3D%22en-US%22%3EHello%2C%20You%20only%20needed%20to%20change%20line%201%2C%20not%20the%202nd%20to%20last%20line%20as%20well.%20I%20cannot%20tell%20what%20is%20not%20working%20without%20the%20results%20or%20error.%20This%20thread%20is%20probably%20getting%20too%20long.%20Maybe%20private%20message%20me%20the%20results%2C%20screenshot%20or%20csv%20file%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365622%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EI%20was%20unable%20to%20send%20private%20message%2C%20that's%20why%20I%20have%20put%20it%20over%20here%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20confusing%20you%2C%20what%20I%20wanted%20exactly%20in%20my%20query%20to%20be%20set%20up%20as%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20know%2C%20if%20any%20machine%20is%20not%20sending%20pings%2C%20expect%26nbsp%3B%20machines%26nbsp%3B%20that%20shut%20down%20at%2010%3A00pm%20and%20start%20at%206%3A00am%2C%20but%20it%20should%20still%20report%20if%20not%20sending%20pings%20between%207%3A00%20am%20to%209%3A00pm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMachines%20that%20shut%20down.%3C%2FP%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_0%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_ccwallboard-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-CCWALLBOARD1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENET-CCWALLBOARD1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_FS3-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNet-fs3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENet-fs3%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_2%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_GISAPP-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-GISAPP1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENET-GISAPP1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-selectioncheckbox%20fxc-gc-margincolumncell_1-0%20%22%3E%3CDIV%20class%3D%22fxc-gc-selectioncheckbox%20azc-br-muted%20azc-fill-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_GISSQL-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-GISSQL1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENET-GISSQL1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_ovuat-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-OVUAT2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENET-OVUAT2%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_4%22%3E%3CDIV%20class%3D%22fxc-gcflink%20fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_P2PTESTAPP-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-P2PTESTAPP1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENET-P2PTESTAPP1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_AAHW-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-AAHW2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENH-AAHW2%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_adappp-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-ADAPPP-02%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENH-ADAPPP-02%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_cmvmaaz-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-CMVMAAZ%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENH-CMVMAAZ%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%2C%20the%20query%20is%20really%20confusing%2C%20it%20is%20displaying%20several%20machines%2C%20which%20should%20not%20be%20as%20those%20machines%20are%20turned%20on%20and%20sending%20pings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3EQuery%0A%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22NET-CCWALLBOARD.networkhg.org.uk%22%2C%22NET-FS3.networkhg.org.uk%22%2C%22NET-GISAPP1.networkhg.org.uk%22%2C%22NET-GISSQL1.networkhg.org.uk%22%2C%22NET-OVUAT2.networkhg.org.uk%22%2C%22NET-P2PTESTAPP1.networkhg.org.uk%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2006%3B%0Alet%20endHour%20%3D%2022%3B%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1h))%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0Aby%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%0A%7C%20join%20kind%3D%20fullouter%0A(%0AHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1h))%0A%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0ALastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EResults%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588802544216.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189620iE25C0C63E5A7C895%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588802544216.png%22%20alt%3D%22Arslan11_0-1588802544216.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369508%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369508%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20requirements%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EI%20would%20like%20to%20know%2C%20if%20%3CSTRONG%3Eany%3C%2FSTRONG%3E%20machine%20is%20not%20sending%20pings%3A%26nbsp%3B%20%3CFONT%20color%3D%22%23FF0000%22%3EAll%20Computers%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3Eexcept%3C%2FSTRONG%3E%20the%20machines%20that%20shut%20down%20at%2010%3A00pm%20and%20start%20at%206%3A00am%2C%26nbsp%3B%20%3CFONT%20color%3D%22%23FF0000%22%3ESee%20list%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3Eit%20should%20still%20report%20if%20not%20sending%20pings%20between%207%3A00%20am%20to%209%3A00p%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20for%20%233%2C%20is%20that%20all%20machines%2C%20including%26nbsp%3Bthose%20excluded%20by%20%232%3F%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3EThe%20Query%20returns%20all%20servers%2C%20and%20the%20last%20record%20received%20(unless%20they%20are%20excluded%20within%20certain%20hours).%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20added%20this%20back%20as%20the%20last%20line%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369616%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20Prefect%2C%20KQL%20working%20as%20expected%2C%20Final%20thing%20to%20be%20done%2C%20then%20it's%20all%20done.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20machines%20specified%20in%20the%20screenshot%2C%20is%20stopped%20forever%2C%20how%20can%20i%20stop%20those%20reporting%20in%20my%20existing%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588858007433.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189760iC2B1EABA1A511D0D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588858007433.png%22%20alt%3D%22Arslan11_0-1588858007433.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3E%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2006%3B%0Alet%20endHour%20%3D%2022%3B%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(24h))%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0Aby%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%0A%7C%20join%20kind%3D%20fullouter%0A(%0AHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(24h))%0A%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0ALastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20I%20add%20another%20joinkind%3D%20fulloter%3C%2FP%3E%3CP%3Ethen%20add%20this%3C%2FP%3E%3CP%3EHeartbeat%3C%2FP%3E%3CP%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FP%3E%3CP%3E%7C%20where%20Computer%20!%3D%20%22computer%20to%20be%20excluded%22%3C%2FP%3E%3CP%3E%2F%2F%20or%26nbsp%3B%20Computer%26nbsp%3B%20!%3D%20%22aaaa%22%3C%2FP%3E%3CP%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FP%3E%3CP%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20there%20is%20any%20other%20way%20to%20do%20it%2C%20final%20thing%20to%20be%20done.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369643%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369643%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%20this%20maybe%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22rancher-node-1%22%2C%22rancher-node-2%22%2C%22rancher-node-3%22%5D)%3B%0A%2F%2F%20always%20exclude%20these%20computera%0Alet%20excludeComputers%20%3D%20dynamic(%5B%22demo1%22%2C%22demo2%22%2C%22demo3%22%2C%22node-4%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%7C%20where%20Computer%20in%20(shutdownComputers)%20%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0A%20%20%20%20%20%20%20%20%20%20%20%20by%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%20%20%0A%7C%20join%20kind%3D%20fullouter%20%20%0A%20(%0A%20%20%20%20Heartbeat%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%20%20%20%20%7C%20where%20Computer%20!in%20(shutdownComputers)%20and%20Computer%20!in(excludeComputers)%0A%20%20%20%20%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A%20)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%20%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0A%20%20%20%20%20%20%20%20%20LastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%20shutdownComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-1%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-2%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-3%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3E%2F%2F%20always%20exclude%20these%20computers%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3Elet%20excludeComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22demo1%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22demo2%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22demo3%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22node-4%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E...%3C%2FP%3E%0A%3CP%3E...%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%20Heartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%20%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in%20(shutdownComputers)%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in(excludeComputers)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1370242%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1370242%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks%20for%20all%20the%20help%20you%20gave%20me%20and%20keeping%20up%20with%20me%2C%20my%20query%20is%20finally%20working%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20it%20is%20doing%20the%20right%20thing%2C%20excluding%20those%20machines%20and%20I%20will%20see%20if%20I%20don't%20get%20alert%20tonight%20that%20means%20it%20is%20also%20avoiding%20the%20ones%20which%20shutdown%20at%20night%20at%2010%3A00%20pm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20described%20-%20let%20start%20%3DHour%26nbsp%3B%207%20when%20the%20machines%20are%20started%20and%2010%3A00pm%20when%20machines%20are%20stopped.%3C%2FP%3E%3CPRE%3Elet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20removed%20the%20last%20line%2C%20as%20it%20was%20used%20for%20testing%20the%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20finally%20getting%20the%20logic%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Kusto query 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment
| where LastCall < ago(10m

 

I need assistance with this query, I don't want to be reported for the following servers in not sending pings, those severs get shutdown at 10:00pm UK time and starts at 6:00am uk time.

 

I don't want those servers to be reported from 10:00pm to 6:00am, how can I amend my existing query and make this possible

25 Replies
Highlighted

@Arslan11 

 

Look out for a Blog post on KQL and Time from me on the Sentinel blog, hopefully later this week.  Here we get just the "hours" from the TimeGenerated and use that to say, I only want this period of Hours between 07am and 22pm.  Please remove the "hour" column when you are happy this works as expected. 

 

Heartbeat
| where TimeGenerated > ago(1d)
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
| where LastCall < ago(10m)
| order by hour asc 

   

Highlighted

@Clive WatsonThanks, you mentioned to remove the hour column, if I will do that, then the hour between will not work, or you want me to still remove it

 

 

Heartbeat
| where TimeGenerated > ago(1d)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
//| where Computer == "demo2"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
| where LastCall < ago(10m)
| order by hour asc

 

Highlighted

@Arslan11 

 

Sorry I meant from the Summarize line (you do need it until then), summarize becomes this 

 

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

I just removed the ", hour" from the end of the line.

Highlighted

@Clive WatsonThanks, Heartbeat
| where TimeGenerated > ago(1d)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment,
| where LastCall < ago(10m)
| order by hour asc

 

I am getting, after I removed the hour, do I need to put the hour back ?

Query could not be parsed at '|' on line [8,0]

Token: |
Line: 8
Position: 0

 

Highlighted

@Clive WatsonI have amended by query

 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

removed the hour from the last line, is that what you were asking for

Highlighted

@Arslan11

 

That's correct syntax, it totally up to you to remove the Hour column (it's probably useful when building/testing the query but not after that); your choice.... 

 

If you think it may be useful in the future, you could also comment it out rather than remove it?

 

e.g. 

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment //, hour
Highlighted

@Clive Watsonjust to have better understanding on my logic.

 

why is it important to have the hour column, is it for testing purposes, when you want to see , which machines are not pinging in that hour and it will show the machines that are switched off, when testing the query

Highlighted

 

@Arslan11 

 

Just for testing, we create it here (line 1 below), in line 2 we use it to further filter the rows returned by the query - in this case those hours that start between 7am and 22pm. 

After that it isn't really needed in the display (optional).  I only added it to the summarise line, so I could check I'd done the query correctly.   You may like to keep it, to check I'm right? 

 

| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)

Highlighted

@Clive WatsonThanks for the clarification, the query is working as expected 

 

Those machines turned off at 10:00pm and I didn't get machine not sending pings alerts.

 

I will keep the summarise line, for my members of team, if they will run the query , they will be able to see other machines apart from the machines that we do not want to be monitored between 6:00 am and 10:00pm

 

Final query

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk" and Computer == "NH-AAHW2.networkhg.org.uk" and Computer == "NH-ADAPPP-02.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour

 

Highlighted

@Arslan11 

 

You can also write the query like this (removing lots of the 'and Computer ==')

 

This uses IN and !IN  (in, and 'not in') https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/inoperator

 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer !in ("NH-CMVMAAZ.networkhg.org.uk","UAT-WVD-REL86-0.networkhg.org.uk")
| where Computer in ("NET-CCWALLBOARD.networkhg.org.uk","NET-FS3.networkhg.org.uk","NET-GISAPP1.networkhg.org.uk","NET-GISSQL1.networkhg.org.uk","NET-OVUAT2.networkhg.org.uk","NET-P2PTESTAPP1.networkhg.org.uk")
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment  //, hour

 

Other great Resources to read are:

 

Best practise: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices

Prefer using case-sensitive operators when applicable, as they are more performant. For example, prefer using == over =~in over in~, and contains_cs over contains (but if you can avoid contains/contains_cs altogether and use has/has_cs, that's even better).

 

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-optimization

Highlighted

@Clive Watson I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

 

I revert back to the old query, not using the in and !in

 

Arslan11_0-1588692074767.png

 

Highlighted

@Clive Watson 

 I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

 

I revert back to the old query, not using the in and !in

 

 

 

 

Highlighted

@Clive Watson  I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

I revert back to the old query, not using the in and !in

Highlighted

@Arslan11 

 

You said you had reverted, to not suing the IN and !in so I didn't reply again. Is the original query not working?

Highlighted

@Clive Watson I think the query isn't working properly because

 

Heartbeat  hour to monitor

| where TimeGenerated > ago(24h)

| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"

| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"

| extend hour = datetime_part("hour", TimeGenerated)

| where hour between (07 .. 22)

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

 

Because I was wondering it has been two days and I haven't recived a single alert for machine not sending pings.

 

I run another query to see, if we had any machines that were not pinging and there is one at 8:00am, which I didn't got alert about

 

Arslan11_0-1588775638318.png

Can you please have a look at my query again

 

 

Highlighted
The screen shot shows two servers, one is at 8:56 is that the one, you say is 8am? If the query is working, it may be the Alert that isn't setup right? Is this an Azure Monitor alert?
Highlighted

@Clive Watson Not an alert, just a query that  I run to see if there were any machines that weren't sending the  pings , and one machine came up at this time.

 

Arslan11_0-1588780305176.png

Can you please have a look at this query again, I still want to be alerted about other machines which is not sending the pings,  expect the one's which get's turn off at 10:00 pm and turn back on at 6:00 am as shown in the query below, which you helped

 

Heartbeat existing query

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk" and Computer == "NH-AAHW2.networkhg.org.uk" and Computer == "NH-ADAPPP-02.networkhg.org.uk" and Computer == "VM-WVD-REL86-0.networkhg.org.uk" and Computer == "VM-WVD-REL86-1.networkhg.org.uk" and Computer == "VM-WVD-REL86-2.networkhg.org.uk" and Computer == "VM-WVD-REL86-3.networkhg.org.uk" and Computer == "VM-WVD-REL86-4.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment 

Highlighted

@Arslan11 

 

I think I'm understanding your requirements a bit more now.  This now does the work in two phases, the first part deals with the shutdown servers in the time windows you specified.  I then join those with all the other servers, to show the lastCall for both (but none of the ones in the shutdown window).   I that right?  Please test and adjust the KQL yourself to suit your expected outcome.   

 

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight
let shutdownComputers = dynamic(["rancher-node-1","rancher-node-2","rancher-node-3"]);
// config the hours to exclude
let startHour = 07;   // 7am
let endHour   = 22;   // 10pm
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1d)) 
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
            by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...   
| join kind= fullouter  
 (
    Heartbeat
    | where TimeGenerated > startofday(ago(1d)) 
    | where Computer !in (shutdownComputers)
    | summarize LastCall = arg_max(TimeGenerated,*) by Computer
 ) on Computer
// This bit can probably be improved if I get time  
| extend Computer = iif(isempty(Computer),Computer1,Computer),
         LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer

 

Go to Log Analytics and run query

 

Highlighted

@Clive Watson   I did query accroding to my need.

 

Still not working, please let me know, where I went wrong.

 

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight

let shutdownComputers = dynamic(["NET-CCWALLBOARD.networkhg.org.uk","NET-FS3.networkhg.org.uk","NET-GISAPP1.networkhg.org.uk","NET-GISSQL1.networkhg.org.uk","NET-OVUAT2.networkhg.org.uk","NET-P2PTESTAPP1.networkhg.org.uk"]);
// config the hours to exclude
let startHour = 22;
let endHour = 06;
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1d))
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...
| join kind= fullouter
(
Heartbeat
| where TimeGenerated > startofday(ago(1d))
| where Computer !in (shutdownComputers)
| summarize LastCall = arg_max(TimeGenerated,*) by Computer
) on Computer
// This bit can probably be improved if I get time
| extend Computer = iif(isempty("NH-CMVMAAZ.networkhg.org),),
LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer

 

Highlighted
Hello, You only needed to change line 1, not the 2nd to last line as well. I cannot tell what is not working without the results or error. This thread is probably getting too long. Maybe private message me the results, screenshot or csv file?
Highlighted

@Clive WatsonI was unable to send private message, that's why I have put it over here

 

Sorry for confusing you, what I wanted exactly in my query to be set up as alert.

 

I would like to know, if any machine is not sending pings, expect  machines  that shut down at 10:00pm and start at 6:00am, but it should still report if not sending pings between 7:00 am to 9:00pm.

 

Machines that shut down.

 
 

 

But, the query is really confusing, it is displaying several machines, which should not be as those machines are turned on and sending pings.

 

 

 

Query

let shutdownComputers = dynamic(["NET-CCWALLBOARD.networkhg.org.uk","NET-FS3.networkhg.org.uk","NET-GISAPP1.networkhg.org.uk","NET-GISSQL1.networkhg.org.uk","NET-OVUAT2.networkhg.org.uk","NET-P2PTESTAPP1.networkhg.org.uk"]);
// config the hours to exclude
let startHour = 06;
let endHour = 22;
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1h))
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...
| join kind= fullouter
(
Heartbeat
| where TimeGenerated > startofday(ago(1h))
| summarize LastCall = arg_max(TimeGenerated,*) by Computer
) on Computer
// This bit can probably be improved if I get time
| extend Computer = iif(isempty(Computer),Computer1,Computer),
LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer

 

 

 

 

Results 

Arslan11_0-1588802544216.png

 

Highlighted

@Arslan11 

 

So the requirements are:

 

  1. I would like to know, if any machine is not sending pings:  All Computers 
  2. except the machines that shut down at 10:00pm and start at 6:00am,  See list 
  3. it should still report if not sending pings between 7:00 am to 9:00p 

    So for #3, is that all machines, including those excluded by #2?

The Query returns all servers, and the last record received (unless they are excluded within certain hours).

Have you added this back as the last line?

 

| where LastCall < ago(10m)
 
 

 

 

Highlighted

@Clive Watson  Prefect, KQL working as expected, Final thing to be done, then it's all done.

 

All the machines specified in the screenshot, is stopped forever, how can i stop those reporting in my existing query

 

Arslan11_0-1588858007433.png

 

// config the hours to exclude
let startHour = 06;
let endHour = 22;
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(24h))
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...
| join kind= fullouter
(
Heartbeat
| where TimeGenerated > startofday(ago(24h))
| summarize LastCall = arg_max(TimeGenerated,*) by Computer
) on Computer
// This bit can probably be improved if I get time
| extend Computer = iif(isempty(Computer),Computer1,Computer),
LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer
| where LastCall < ago(10m)

 

Should I add another joinkind= fulloter

then add this

Heartbeat

| where TimeGenerated > ago(24h)

| where Computer != "computer to be excluded"

// or  Computer  != "aaaa"

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

| where LastCall < ago(10m)

 

or there is any other way to do it, final thing to be done.

 

Highlighted

@Arslan11 

 

Like this maybe?

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight
let shutdownComputers = dynamic(["rancher-node-1","rancher-node-2","rancher-node-3"]);
// always exclude these computera
let excludeComputers = dynamic(["demo1","demo2","demo3","node-4"]);
// config the hours to exclude
let startHour = 07;   // 7am
let endHour   = 22;   // 10pm
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1d)) 
| where Computer in (shutdownComputers) 
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
            by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...   
| join kind= fullouter  
 (
    Heartbeat
    | where TimeGenerated > startofday(ago(1d)) 
    | where Computer !in (shutdownComputers) and Computer !in(excludeComputers)
    | summarize LastCall = arg_max(TimeGenerated,*) by Computer
 ) on Computer
// This bit can probably be improved if I get time  
| extend Computer = iif(isempty(Computer),Computer1,Computer),
         LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer
| where LastCall < ago(10m)

 

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight
let shutdownComputers = dynamic(["rancher-node-1","rancher-node-2","rancher-node-3"]);
// always exclude these computers
let excludeComputers = dynamic(["demo1","demo2","demo3","node-4"]);

...

...

Heartbeat
| where TimeGenerated > startofday(ago(1d))
| where Computer !in (shutdownComputers) and Computer !in(excludeComputers)
| summarize LastCall = arg_max(TimeGenerated,*) by Computer
 
 

 

Highlighted

@Clive Watson Thanks for all the help you gave me and keeping up with me, my query is finally working

 

And it is doing the right thing, excluding those machines and I will see if I don't get alert tonight that means it is also avoiding the ones which shutdown at night at 10:00 pm.

 

As you described - let start =Hour  7 when the machines are started and 10:00pm when machines are stopped.

let startHour = 07;   // 7am
let endHour   = 22;   // 10pm

 

I have also removed the last line, as it was used for testing the query

 

| where LastCall < ago(10m)

 

Thanks, finally getting the logic