Log Analystics Query for VMProcess Stopped

%3CLINGO-SUB%20id%3D%22lingo-sub-2361024%22%20slang%3D%22en-US%22%3ELog%20Analystics%20Query%20for%20VMProcess%20Stopped%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2361024%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20setup%20the%20alert%20rule%20for%20specific%20VMProcess%20is%20stopped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEarlier%20%2C%20we%20used%26nbsp%3B%20set%20the%20query%20using%20ConfigurationChange%20Table%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EConfigurationChange%3CBR%20%2F%3E%7C%20where%20ConfigChangeType%20%3D%3D%20%22WindowsServices%22%20and%20SvcState%20%3D%3D%20%22Stopped%22%3CBR%20%2F%3E%7C%20sort%20by%20TimeGenerated%20desc%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22PRODWIN1234%22%3CBR%20%2F%3E%7C%20where%20SvcDisplayName%20%3D%3D%20%22WMI%20Performance%20Adapter%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, 

 

I need to setup the alert rule for specific VMProcess is stopped.

 

Earlier , we used  set the query using ConfigurationChange Table . 

 

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"

1 Reply
You probably only need to look at the last row/record that matches the ServiceName and State

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"
| summarize arg_max(TimeGenerated,*)