Help with making the query work

Brass Contributor

ConfigurationChange
| where ConfigChangeType == "WindowsServices"
and SvcState == "Stopped"
and (
Computer has "NH-P2PAPP01.networkhg.org.uk"
or Computer has “NET-P2PLIVEAPP1.networkhg.org.uk"
or Computer has “NET-P2PTESTAPP.networkhg.org.uk”
)
and (
SvcDisplayName == "Integra eSeries FINPROD"
or SvcDisplayName == "Integra SPC FINPROD”
or SvcDisplayName == "Integra UAS FINPROD"
or SvcDisplayName == "Integra eSeries FINDEV"
or SvcDisplayName == "Integra SPC FINDEV"
or SvcDisplayName == "Integra UAS FINDEV"
or SvcDisplayName == "Integra eSeries Duet"
or SvcDisplayName == “Integra eSeries SPTDEV"
or SvcDisplayName == "Integra eSeries FINARCH"
)

I am not sure, why this alert is not being configured, I can see nothing wrong, can you please assist me with this.

The request had some invalid properties , it keeps on saying that, but I have another query set up like that without no problems.

 

10 Replies

@Arslan11 ,

 

It seems to me that the query fail to parse because you were using the wrong double quote character. You used ” instead of "

 

There are many different double quote chars that some keyboards change automatically.

 

Other than the quote chars, I have slightly rewritten your query to make it more readable and easy to maintain:

 

ConfigurationChange
| where
ConfigChangeType == "WindowsServices" and
SvcState == "Stopped" and
Computer has_any ("NH-P2PAPP01.networkhg.org.uk","NET-P2PLIVEAPP1.networkhg.org.uk","NET-P2PTESTAPP.networkhg.org.uk")
and SvcDisplayName in ("Integra eSeries FINPROD","Integra SPC FINPROD","Integra UAS FINPROD","Integra eSeries FINDEV","Integra SPC FINDEV","Integra UAS FINDEV","Integra eSeries Duet","Integra eSeries SPTDEV","Integra eSeries FINARCH")

@Meir Mendelovich  Thanks, another query question to ask

 

Perf
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" and Computer != "net-fs3.networkhg.org.uk" and Computer != "NET-FS1.networkhg.org.uk"  and Computer != "NET-SQL3.networkhg.org.uk" and Computer != "NET-EDMLIVEDB1.networkhg.org.uk" and Computer != "NET-EDM_KOFAX1.networkhg.org.uk"
| summarize Free_Space = min(CounterValue) by Computer, InstanceName
| where strlen(InstanceName) == 2 and InstanceName contains ":" and Computer != "NET-REPAIR2.networkhg.org.uk" and InstanceName !contains ":E"  and Computer != "NH-E2016-01.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "NH-E2016-02.networkhg.org.uk" and InstanceName !contains ":E" and Computer != "net-boxi1.networkhg.org.uk" and InstanceName !contains ":D"
| where Free_Space < 10

 

 

How can I make this more readable , also make sure that one instance for that computer Is not being monitored instead of all 

@CliveWatson 

I need assistance with amending the query further and make it more automated. I would like to avoid another computer within this command, for instance G drive and I want this to be monitored for less then 6 %

 

Is it possible to be done within the same query

Hi @Arslan11 

 

You may get a faster response if you don't ask me directly (I'm often busy with my job, and look here infrequently at times) also others may have alternative ideas and methods to share.

  
Anyway, you can probably achieve the outcome with this, I've added a capacity case statement, that allows for a specific computer and drive letter size, plus a default option for the unspecified computers :

Perf
// set up filters
| where ObjectName == "LogicalDisk" and CounterName == "% Free Space" 
| where strlen(InstanceName) == 2 and InstanceName contains ":" 
// exclude ALL these named computers 
| where Computer !in ("net-fs3.networkhg.org.uk","NET-FS1.networkhg.org.uk","NET-SQL3.networkhg.org.uk",
                    "NET-EDMLIVEDB1.networkhg.org.uk","NET-EDM_KOFAX1.networkhg.org.uk")
// Show all
| summarize Free_Space = min(CounterValue) by Computer , InstanceName
// Exclude these drive / Computer combinations
// Use a "1" to denaote an exclude else "0"
| extend ComputerList = case(
                            Computer == "NET-REPAIR2.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-01.networkhg.org.uk" and InstanceName == "E:",1,
                            Computer == "NH-E2016-02.networkhg.org.uk" and InstanceName == "E:",1,   
                            Computer == "net-boxi1.networkhg.org.uk"   and InstanceName == "D:",1,
                         // Computer == "NET-SQL2"                     and InstanceName == "G:",1,
                            Computer == "RETAILVM01"                   and InstanceName == "D:",1,
                            //else zero
                            0)
| where Computer startswith "R" or Computer  startswith "SQL" 
| where ComputerList !=1
// Set a required capacity for a specifc computer and drive letter or use a default value like 10% 
| extend driveCapacityFilter = case(
                            Computer == "NET-SQL2"   and InstanceName == "G:", 6,   
                         // Computer == "RETAILVM01" and InstanceName == "G:", 80,                   
                            // else use default value i.e.10%
                            10)
| where Free_Space < driveCapacityFilter
| project-away ComputerList

 

 

 

  

@CliveWatson  Thanks in future, if I want to amend threshold for more servers , I will need to add that machine to the computer list and with similar statement "| where Computer startswith "R" or Computer startswith "SQL" "

 

and also in the drivecapacityfilter add the threshold value for the computer that you want to be alerted, if thats the threshold value 

@CliveWatson  Plus, I tested the query, it is working according to my need

Sorry that was a testing line @Arslan11 

 

Please remove

 

| where Computer startswith "R" or Computer  startswith "SQL" 

@Arslan11 Hi

It seems that the logic you used is right.

The code failed because of the Syntax error.

Use the proper double quotation marks to solve your code errors.

@CliveWatson I already did that part, bcs I noticed that was a testing line and optional