May 08 2018 06:50 PM
May 08 2018 06:50 PM
I currently have an azure automation runbook that executes a get-azurermvm command against all the subscriptions in our tenant. This script compiles a table, that lists the vmSize and Status of running / deallocated as well as other pertinent information.
The out put is then formatted to JSON and posted to the log analytics Rest API where I have a custom Log called RunningVMs_CL
What I would like to be able to do is calculate any VM running more than 8 hours and up to 40 hours and be able to alert on it when it reaches above 8 hours of runtime per day or more, and then when it reaches 40 hours of total run time. The 40 hours might be a bit difficult to check as logs are only 31 days old at max.
Being new to Log Analytics language I'm struggling to find the right commands to use to facilitate at least the 8 hour calculation, any tips on how I should approach this query?
May 08 2018 06:58 PM
The fields I have to work with on this are
Location_s - string / region name
State_s - string / status of the vm / running or deallocated
type_s - string / hardwareprofile.vmsize (e.g. nv24, f2, etc)
timegenerated - automatically created during ingestion of the log
vmname_s - string / vmname
there are other fields, but not relevant to the query needed.
May 13 2018 09:12 AM
My organization is just now starting with Log Analytics and I've been looking at how we can use it to measure out Azure VM utilization. In particular, we'd like to check for any machines that might be very underutilized.
I started with just looking at the normal things like Processor, Memory, Disk usages. Comparing that to the hardware profile of VM might be interesting.
Maybe some other folks can share what they have done in this space?
Also, is there an easy way to get the schema of virtual machines or really any of the Log Analytics name spaces?
May 14 2018 07:36 AM
The exact query depends on your specific table structure, which I don't have (I see you provided the field names but I need access to the actual table to create a working example).
I've created an example query based on the Heartbeat table, you can adjust it to meet your custom logs:
Heartbeat | where TimeGenerated > ago(7d) | summarize heartbeats_per_hour=count() by bin(TimeGenerated, 1h), Computer | extend state_per_hour=iff(heartbeats_per_hour>0, true, false) | summarize total_running_hours=countif(state_per_hour==true) by Computer | where total_running_hours > 8
you can also run it on our demo environment.
basically, this query finds computers that have been running for more than 8 hours (total) over the last 7 days. I am not sure why 40 hours would be more complicated, can you explain what you meant?
May 14 2018 07:45 AM
Thanks for this I'll adjust it for my table.
The 40 hour requirement is a lifetime calculation of the VM runtime. The customer I'm working with is providing a SaaS app "evaluation" to a customer which they only want to allow them to use it NO more than 40 hours total. It's likely that they'd reach this in a week, but it's also likely they'd reach it in 40 days if they only use the VMs for an hour a day...Log analytics keeps data for 31 days? so if I calculated off of the data retained there could be a scenario where the usage is 31 hours and never reaches 40.
May 14 2018 08:33 AM
Retention is up to you. To configure, "Usage and estimated costs" on the Log Analytics workspace menu, and in it "Data volume management":