Machine not sedning pings

%3CLINGO-SUB%20id%3D%22lingo-sub-1357540%22%20slang%3D%22en-US%22%3EMachine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357540%22%20slang%3D%22en-US%22%3E%3CP%3EKusto%20query%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20assistance%20with%20this%20query%2C%20I%20don't%20want%20to%20be%20reported%20for%20the%20following%20servers%20in%20not%20sending%20pings%2C%20those%20severs%20get%20shutdown%20at%2010%3A00pm%20UK%20time%20and%20starts%20at%206%3A00am%20uk%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20want%20those%20servers%20to%20be%20reported%20from%2010%3A00pm%20to%206%3A00am%2C%20how%20can%20I%20amend%20my%20existing%20query%20and%20make%20this%20possible%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1357540%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358389%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358389%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELook%20out%20for%20a%20Blog%20post%20on%20KQL%20and%20Time%20from%20me%20on%20the%20Sentinel%20blog%2C%20hopefully%20later%20this%20week.%26nbsp%3B%20Here%20we%20get%20just%20the%20%22hours%22%20from%20the%20TimeGenerated%20and%20use%20that%20to%20say%2C%20I%20only%20want%20this%20period%20of%20Hours%20between%2007am%20and%2022pm.%26nbsp%3B%20Please%20remove%20the%20%22hour%22%20column%20when%20you%20are%20happy%20this%20works%20as%20expected.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%0A%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%0A%7C%20where%20hour%20between%20(07%20..%2022)%0A%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%0A%7C%20order%20by%20hour%20asc%20%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358469%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358469%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%2C%20you%20mentioned%20to%20remove%20the%20hour%20column%2C%20if%20I%20will%20do%20that%2C%20then%20the%20hour%20between%20will%20not%20work%2C%20or%20you%20want%20me%20to%20still%20remove%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%2F%2F%7C%20where%20Computer%20%3D%3D%20%22demo2%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3CBR%20%2F%3E%7C%20order%20by%20hour%20asc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358514%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358514%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESorry%20I%20meant%20from%20the%20Summarize%20line%20(you%20do%20need%20it%20until%20then)%2C%20summarize%20becomes%20this%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20%20language-cpp%22%3E%3CCODE%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20just%20removed%20the%20%22%3CSTRONG%3E%2C%20hour%3C%2FSTRONG%3E%22%20from%20the%20end%20of%20the%20line.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358535%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358535%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%2C%26nbsp%3BHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%3CBR%20%2F%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3CBR%20%2F%3E%7C%20order%20by%20hour%20asc%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%2C%20after%20I%20removed%20the%20hour%2C%20do%20I%20need%20to%20put%20the%20hour%20back%20%3F%3C%2FP%3E%3CP%3EQuery%20could%20not%20be%20parsed%20at%20'%7C'%20on%20line%20%5B8%2C0%5D%3C%2FP%3E%3CP%3EToken%3A%20%7C%3CBR%20%2F%3ELine%3A%208%3CBR%20%2F%3EPosition%3A%200%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358573%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EI%20have%20amended%20by%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(07%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eremoved%20the%20hour%20from%20the%20last%20line%2C%20is%20that%20what%20you%20were%20asking%20for%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358594%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358594%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20correct%20syntax%2C%20it%20totally%20up%20to%20you%20to%20remove%20the%20%3CSTRONG%3EHour%3C%2FSTRONG%3E%20column%20(it's%20probably%20useful%20when%20building%2Ftesting%20the%20query%20but%20not%20after%20that)%3B%20your%20choice....%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20think%20it%20may%20be%20useful%20in%20the%20future%2C%20you%20could%20also%20comment%20it%20out%20rather%20than%20remove%20it%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ee.g.%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20max%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%20ComputerEnvironment%20%3C%2FSPAN%3E%3CSTRONG%3E%2F%2F%2C%20hour%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358635%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3Ejust%20to%20have%20better%20understanding%20on%20my%20logic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhy%20is%20it%20important%20to%20have%20the%20hour%20column%2C%20is%20it%20for%20testing%20purposes%2C%20when%20you%20want%20to%20see%20%2C%20which%20machines%20are%20not%20pinging%20in%20that%20hour%20and%20it%20will%20show%20the%20machines%20that%20are%20switched%20off%2C%20when%20testing%20the%20query%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358740%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358740%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20for%20testing%2C%20we%20create%20it%20here%20(line%201%20below)%2C%20in%20line%202%20we%20use%20it%20to%20further%20filter%20the%20rows%20returned%20by%20the%20query%20-%20in%20this%20case%20those%20hours%20that%20start%20between%207am%20and%2022pm.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20that%20it%20isn't%20really%20needed%20in%20the%20display%20(optional).%26nbsp%3B%20I%20only%20added%20it%20to%20the%20%3CSTRONG%3Esummarise%3C%2FSTRONG%3E%20line%2C%20so%20I%20could%20check%20I'd%20done%20the%20query%20correctly.%26nbsp%3B%20%26nbsp%3BYou%20may%20like%20to%20keep%20it%2C%20to%20check%20I'm%20right%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%7C%20where%20hour%20between%20(07%20..%2022)%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358906%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThanks%20for%20the%20clarification%2C%20the%20query%20is%20working%20as%20expected%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThose%20machines%20turned%20off%20at%2010%3A00pm%20and%20I%20didn't%20get%20machine%20not%20sending%20pings%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20keep%20the%26nbsp%3B%3CSPAN%3Esummarise%20line%2C%20for%20my%20members%20of%20team%2C%20if%20they%20will%20run%20the%20query%20%2C%20they%20will%20be%20able%20to%20see%20other%20machines%20apart%20from%20the%20machines%20that%20we%20do%20not%20want%20to%20be%20monitored%20between%206%3A00%20am%20and%2010%3A00pm%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinal%20query%3C%2FP%3E%3CP%3E%3CSTRONG%3EHeartbeat%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-AAHW2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-ADAPPP-02.networkhg.org.uk%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20hour%20between%20(06%20..%2022)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%2C%20hour%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359322%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359322%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20write%20the%20query%20like%20this%20(removing%20lots%20of%20the%20'and%20Computer%20%3D%3D')%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20uses%20IN%20and%20!IN%26nbsp%3B%20(in%2C%20and%20'not%20in')%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Finoperator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Finoperator%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%0A%7C%20where%20Computer%20!in%20(%22NH-CMVMAAZ.networkhg.org.uk%22%2C%22UAT-WVD-REL86-0.networkhg.org.uk%22)%0A%7C%20where%20Computer%20in%20(%22NET-CCWALLBOARD.networkhg.org.uk%22%2C%22NET-FS3.networkhg.org.uk%22%2C%22NET-GISAPP1.networkhg.org.uk%22%2C%22NET-GISSQL1.networkhg.org.uk%22%2C%22NET-OVUAT2.networkhg.org.uk%22%2C%22NET-P2PTESTAPP1.networkhg.org.uk%22)%0A%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%0A%7C%20where%20hour%20between%20(06%20..%2022)%0A%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%20%20%2F%2F%2C%20hour%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOther%20great%20Resources%20to%20read%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20practise%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fbest-practices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fbest-practices%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EPrefer%20using%20case-sensitive%20operators%20when%20applicable%2C%20as%20they%20are%20more%20performant.%20For%20example%2C%20prefer%20using%26nbsp%3B%3CCODE%3E%3D%3D%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3E%3D~%3C%2FCODE%3E%2C%26nbsp%3B%3CCODE%3Ein%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3Ein~%3C%2FCODE%3E%2C%20and%26nbsp%3B%3CCODE%3Econtains_cs%3C%2FCODE%3E%26nbsp%3Bover%26nbsp%3B%3CCODE%3Econtains%3C%2FCODE%3E%26nbsp%3B(but%20if%20you%20can%20avoid%26nbsp%3B%3CCODE%3Econtains%3C%2FCODE%3E%2F%3CCODE%3Econtains_cs%3C%2FCODE%3E%26nbsp%3Baltogether%20and%20use%26nbsp%3B%3CCODE%3Ehas%3C%2FCODE%3E%2F%3CCODE%3Ehas_cs%3C%2FCODE%3E%2C%20that's%20even%20better).%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-optimization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-optimization%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360483%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360483%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BI%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588692074767.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189028iE9869A8D4FBA1293%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588692074767.png%22%20alt%3D%22Arslan11_0-1588692074767.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361695%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361695%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363253%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20I%20tired%20this%20using%20the%20in%20and%20!in%2C%20I%20am%20afraid%2C%20it%20didn't%20work.%20You%20can%20see%20the%20results%2C%20is%20displaying%20the%20machines%20that%20are%20turned%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20revert%20back%20to%20the%20old%20query%2C%20not%20using%20the%20in%20and%20!in%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363588%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363588%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20said%20you%20had%20reverted%2C%20to%20not%20suing%20the%20IN%20and%20!in%20so%20I%20didn't%20reply%20again.%20Is%20the%20original%20query%20not%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363856%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BI%20think%20the%20query%20isn't%20working%20properly%20because%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EHeartbeat%26nbsp%3B%20%3C%2FSTRONG%3E%3CSTRONG%3Ehour%20to%20monitor%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20where%20hour%20between%20(07%20..%2022)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBecause%20I%20was%20wondering%20it%20has%20been%20two%20days%20and%20I%20haven't%20recived%20a%20single%20alert%20for%20machine%20not%20sending%20pings.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EI%20run%20another%20query%20to%20see%2C%20if%20we%20had%20any%20machines%20that%20were%20not%20pinging%20and%20there%20is%20one%20at%208%3A00am%2C%20which%20I%20didn't%20got%20alert%20about%3C%2FSTRONG%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588775638318.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189485i1E8A2B2F8BEBAA84%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588775638318.png%22%20alt%3D%22Arslan11_0-1588775638318.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECan%20you%20please%20have%20a%20look%20at%20my%20query%20again%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364073%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364073%22%20slang%3D%22en-US%22%3EThe%20screen%20shot%20shows%20two%20servers%2C%20one%20is%20at%208%3A56%20is%20that%20the%20one%2C%20you%20say%20is%208am%3F%20If%20the%20query%20is%20working%2C%20it%20may%20be%20the%20Alert%20that%20isn't%20setup%20right%3F%20Is%20this%20an%20Azure%20Monitor%20alert%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364366%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364366%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BNot%20an%20alert%2C%20just%20a%20query%20that%26nbsp%3B%20I%20run%20to%20see%20if%20there%20were%20any%20machines%20that%20weren't%20sending%20the%26nbsp%3B%20pings%20%2C%20and%20one%20machine%20came%20up%20at%20this%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588780305176.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189520i8081C6823E978349%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588780305176.png%22%20alt%3D%22Arslan11_0-1588780305176.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ECan%20you%20please%20have%20a%20look%20at%20this%20query%20again%2C%20I%20still%20want%20to%20be%20alerted%20about%20other%20machines%20which%20is%20not%20sending%20the%20pings%2C%26nbsp%3B%20expect%20the%20one's%20which%20get's%20turn%20off%20at%2010%3A00%20pm%20and%20turn%20back%20on%20at%206%3A00%20am%20as%20shown%20in%20the%20query%20below%2C%20which%20you%20helped%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHeartbeat%20existing%20query%3C%2FP%3E%3CP%3EHeartbeat%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3CBR%20%2F%3E%7C%20where%20Computer%20!%3D%20%22NH-CMVMAAZ.networkhg.org.uk%22%20and%20Computer%20!%3D%20%22UAT-WVD-REL86-0.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20where%20Computer%20%3D%3D%20%22NET-CCWALLBOARD.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-FS3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-GISSQL1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-OVUAT2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NET-P2PTESTAPP1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-AAHW2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22NH-ADAPPP-02.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-0.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-1.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-2.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-3.networkhg.org.uk%22%20and%20Computer%20%3D%3D%20%22VM-WVD-REL86-4.networkhg.org.uk%22%3CBR%20%2F%3E%7C%20extend%20hour%20%3D%20datetime_part(%22hour%22%2C%20TimeGenerated)%3CBR%20%2F%3E%7C%20where%20hour%20between%20(06%20..%2022)%3CBR%20%2F%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364719%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364719%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20I'm%20understanding%20your%20requirements%20a%20bit%20more%20now.%26nbsp%3B%20This%20now%20does%20the%20work%20in%20two%20phases%2C%20the%20first%20part%20deals%20with%20the%20shutdown%20servers%20in%20the%20time%20windows%20you%20specified.%26nbsp%3B%20I%20then%20join%20those%20with%20all%20the%20other%20servers%2C%20to%20show%20the%20%3CSTRONG%3ElastCall%3C%2FSTRONG%3E%20for%20both%20(but%20none%20of%20the%20ones%20in%20the%20shutdown%20window).%26nbsp%3B%20%26nbsp%3BI%20that%20right%3F%26nbsp%3B%20Please%20test%20and%20adjust%20the%20KQL%20yourself%20to%20suit%20your%20expected%20outcome.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22rancher-node-1%22%2C%22rancher-node-2%22%2C%22rancher-node-3%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0A%20%20%20%20%20%20%20%20%20%20%20%20by%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%20%20%0A%7C%20join%20kind%3D%20fullouter%20%20%0A%20(%0A%20%20%20%20Heartbeat%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%20%20%20%20%7C%20where%20Computer%20!in%20(shutdownComputers)%0A%20%20%20%20%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A%20)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%20%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0A%20%20%20%20%20%20%20%20%20LastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA5VTTW%25252BbQBC9W%25252FJ%25252FmHICi9hxeojUyL1E%25252BZKi9NDcqipa2MGsC7tod7BN1R%25252FfAQys%25252ByWVAzBfvNn3HqsVVAUKhyCkBAGFcgQmg8bUFhzaPVoHOVqMgXLkNqPRgbDYhn1AuaAus3B5TdIc9AIMz2m1zWk%25252BK5BgKNyasqqp%25252FeQGZKNFqdLwS2CFThniQhuJF%25252BsgPk9c%25252FZp4H3yNbuaz1QpSozO17TbJeV9exQAe06KWeMIlYemxPcoGLq9vAICnrkXZV1HLrgZcvbo6VdeXFZcfkQcTFNThPHDzrmZiWqQTgITPPTvz2Q84tAzBqyrxATVaQVz%25252B2KObTIomFFsTrmUUwdQ9cAFKQ%25252FgbQVHb6OqyFFZ9R3gWjm5FUfCmwm7fSnEMz%25252BFikPwgTr1VjBoGLSFBfN4UQYJ0QNShx8xyORARAaOCdyXNuGUMblx4w9M2FQzin%25252BHT%25252Ff3z08td76DMmhIYfoSJg1YczpywOP4QxMN8FI9Ad3qvrNElapq4Uk4bwrKiJhyY6AiqrNlhShOX8ciUt3Cn4Ys5wM7wnpQb56k4ePygKO89zTfrlkwLdGp1Q9%25252BUlhvI6qIwHQ5XIOzJ8qzShv9nBn9iPMS7vzmi7%25252F6nK85NsYh8DfkDEf%25252BycMbLa64cJIogFbrlMxFJ0bBPQJUc7Xl3lcETbPkXaN3Vc4JHYh3Bc4RSWahcL9Gk6vC29pT2LObt78%25252BPEsfD2zo%25252Bk31igE83Cf4Hr%25252F4EW75M2t8EAAA%25253D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365027%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BI%20did%20query%20accroding%20to%20my%20need.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20not%20working%2C%20please%20let%20me%20know%2C%20where%20I%20went%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%20shutdownComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22NET-CCWALLBOARD.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-FS3.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-GISAPP1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-GISSQL1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-OVUAT2.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22NET-P2PTESTAPP1.networkhg.org.uk%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20config%20the%20hours%20to%20exclude%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20startHour%20%3D%20%3C%2FSPAN%3E%3CSPAN%3E22%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20endHour%20%3D%20%3C%2FSPAN%3E%3CSPAN%3E06%3C%2FSPAN%3E%3CSPAN%3E%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHeartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20Get%20just%20the%20excluded%20Servers%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20in%20(shutdownComputers)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%3C%2FSPAN%3E%3CSPAN%3E%22hour%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%2C%20sComputer%20%3D%20strcat(%3C%2FSPAN%3E%3CSPAN%3E%22Computer%20in%20OFFLINE%20list%20from%20%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20startHour%2C%3C%2FSPAN%3E%3CSPAN%3E%22%20to%20%22%3C%2FSPAN%3E%3CSPAN%3E%2C%20endHour%2C%3C%2FSPAN%3E%3CSPAN%3E%22%20%3A%22%3C%2FSPAN%3E%3CSPAN%3E%2CComputer)%2C%20ComputerEnvironment%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20isnotempty(LastCall)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%2C%20LastCall%2C%20sComputer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ejoin%3C%2FSPAN%3E%3CSPAN%3E%20kind%3D%20fullouter%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHeartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in%20(shutdownComputers)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E)%20onComputer%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%3D%20iif(isempty(%3C%2FSPAN%3E%3CSPAN%3E%22NH-CMVMAAZ.networkhg.org)%2C)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ELastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365041%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365041%22%20slang%3D%22en-US%22%3EHello%2C%20You%20only%20needed%20to%20change%20line%201%2C%20not%20the%202nd%20to%20last%20line%20as%20well.%20I%20cannot%20tell%20what%20is%20not%20working%20without%20the%20results%20or%20error.%20This%20thread%20is%20probably%20getting%20too%20long.%20Maybe%20private%20message%20me%20the%20results%2C%20screenshot%20or%20csv%20file%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1365622%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1365622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EI%20was%20unable%20to%20send%20private%20message%2C%20that's%20why%20I%20have%20put%20it%20over%20here%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20for%20confusing%20you%2C%20what%20I%20wanted%20exactly%20in%20my%20query%20to%20be%20set%20up%20as%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20know%2C%20if%20any%20machine%20is%20not%20sending%20pings%2C%20expect%26nbsp%3B%20machines%26nbsp%3B%20that%20shut%20down%20at%2010%3A00pm%20and%20start%20at%206%3A00am%2C%20but%20it%20should%20still%20report%20if%20not%20sending%20pings%20between%207%3A00%20am%20to%209%3A00pm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMachines%20that%20shut%20down.%3C%2FP%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_0%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_ccwallboard-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-CCWALLBOARD1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENET-CCWALLBOARD1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_FS3-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNet-fs3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENet-fs3%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_2%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_GISAPP-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-GISAPP1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENET-GISAPP1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-selectioncheckbox%20fxc-gc-margincolumncell_1-0%20%22%3E%3CDIV%20class%3D%22fxc-gc-selectioncheckbox%20azc-br-muted%20azc-fill-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_GISSQL-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-GISSQL1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENET-GISSQL1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-margincell%20fxc-gc-margincell-contextmenu%20fxc-gc-margincolumncell_1_1%20%22%3E%3CDIV%20class%3D%22fxc-gc-contextmenushortcut%20azc-toolbarButton-container%20azc-toolbar-item%20azc-toolbarButton-command%20fxs-portal-hover%20fxs-portal-svg%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_ovuat-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-OVUAT2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENET-OVUAT2%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_4%22%3E%3CDIV%20class%3D%22fxc-gcflink%20fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_P2PTESTAPP-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNET-P2PTESTAPP1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENET-P2PTESTAPP1%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2FRG-VM_AAHW-PROD-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-AAHW2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENH-AAHW2%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_3%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_adappp-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-ADAPPP-02%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENH-ADAPPP-02%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-gc-row%20fxc-gc-row_1%20azc-br-muted%20fxs-portal-hover%22%3E%3CDIV%20class%3D%22fxc-gc-row-content%20fxc-gc-row-content_1%22%3E%3CDIV%20class%3D%22fxc-gc-cell%20fxc-gc-columncell_1_1%22%3E%3CDIV%20class%3D%22fxc-gc-text%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23%40networkhomes.org.uk%2Fresource%2Fsubscriptions%2F206bebf0-39bd-4a14-a394-f426cf0f34c8%2FresourceGroups%2Frg-vm_cmvmaaz-prod-1%2Fproviders%2FMicrosoft.Compute%2FvirtualMachines%2FNH-CMVMAAZ%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENH-CMVMAAZ%3C%2FA%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%2C%20the%20query%20is%20really%20confusing%2C%20it%20is%20displaying%20several%20machines%2C%20which%20should%20not%20be%20as%20those%20machines%20are%20turned%20on%20and%20sending%20pings.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3EQuery%0A%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22NET-CCWALLBOARD.networkhg.org.uk%22%2C%22NET-FS3.networkhg.org.uk%22%2C%22NET-GISAPP1.networkhg.org.uk%22%2C%22NET-GISSQL1.networkhg.org.uk%22%2C%22NET-OVUAT2.networkhg.org.uk%22%2C%22NET-P2PTESTAPP1.networkhg.org.uk%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2006%3B%0Alet%20endHour%20%3D%2022%3B%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1h))%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0Aby%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%0A%7C%20join%20kind%3D%20fullouter%0A(%0AHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1h))%0A%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0ALastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EResults%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588802544216.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189620iE25C0C63E5A7C895%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588802544216.png%22%20alt%3D%22Arslan11_0-1588802544216.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369508%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369508%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20the%20requirements%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EI%20would%20like%20to%20know%2C%20if%20%3CSTRONG%3Eany%3C%2FSTRONG%3E%20machine%20is%20not%20sending%20pings%3A%26nbsp%3B%20%3CFONT%20color%3D%22%23FF0000%22%3EAll%20Computers%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3Eexcept%3C%2FSTRONG%3E%20the%20machines%20that%20shut%20down%20at%2010%3A00pm%20and%20start%20at%206%3A00am%2C%26nbsp%3B%20%3CFONT%20color%3D%22%23FF0000%22%3ESee%20list%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3Eit%20should%20still%20report%20if%20not%20sending%20pings%20between%207%3A00%20am%20to%209%3A00p%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20for%20%233%2C%20is%20that%20all%20machines%2C%20including%26nbsp%3Bthose%20excluded%20by%20%232%3F%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3EThe%20Query%20returns%20all%20servers%2C%20and%20the%20last%20record%20received%20(unless%20they%20are%20excluded%20within%20certain%20hours).%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20you%20added%20this%20back%20as%20the%20last%20line%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369616%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20Prefect%2C%20KQL%20working%20as%20expected%2C%20Final%20thing%20to%20be%20done%2C%20then%20it's%20all%20done.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20machines%20specified%20in%20the%20screenshot%2C%20is%20stopped%20forever%2C%20how%20can%20i%20stop%20those%20reporting%20in%20my%20existing%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Arslan11_0-1588858007433.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189760iC2B1EABA1A511D0D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Arslan11_0-1588858007433.png%22%20alt%3D%22Arslan11_0-1588858007433.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3E%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2006%3B%0Alet%20endHour%20%3D%2022%3B%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(24h))%0A%7C%20where%20Computer%20in%20(shutdownComputers)%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0Aby%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%0A%7C%20join%20kind%3D%20fullouter%0A(%0AHeartbeat%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(24h))%0A%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0ALastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20I%20add%20another%20joinkind%3D%20fulloter%3C%2FP%3E%3CP%3Ethen%20add%20this%3C%2FP%3E%3CP%3EHeartbeat%3C%2FP%3E%3CP%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%3C%2FP%3E%3CP%3E%7C%20where%20Computer%20!%3D%20%22computer%20to%20be%20excluded%22%3C%2FP%3E%3CP%3E%2F%2F%20or%26nbsp%3B%20Computer%26nbsp%3B%20!%3D%20%22aaaa%22%3C%2FP%3E%3CP%3E%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%2C%20ComputerEnvironment%3C%2FP%3E%3CP%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eor%20there%20is%20any%20other%20way%20to%20do%20it%2C%20final%20thing%20to%20be%20done.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1369643%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1369643%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F643248%22%20target%3D%22_blank%22%3E%40Arslan11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%20this%20maybe%3F%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%0Alet%20shutdownComputers%20%3D%20dynamic(%5B%22rancher-node-1%22%2C%22rancher-node-2%22%2C%22rancher-node-3%22%5D)%3B%0A%2F%2F%20always%20exclude%20these%20computera%0Alet%20excludeComputers%20%3D%20dynamic(%5B%22demo1%22%2C%22demo2%22%2C%22demo3%22%2C%22node-4%22%5D)%3B%0A%2F%2F%20config%20the%20hours%20to%20exclude%0Alet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%0AHeartbeat%0A%2F%2F%20Get%20just%20the%20excluded%20Servers%0A%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%7C%20where%20Computer%20in%20(shutdownComputers)%20%0A%7C%20summarize%20LastCall%20%3D%20arg_max(%20TimeGenerated%2C%20datetime_part(%22hour%22%2C%20TimeGenerated)%20between(%20startHour%20..%20endHour)%20)%0A%20%20%20%20%20%20%20%20%20%20%20%20by%20Computer%2C%20sComputer%20%3D%20strcat(%22Computer%20in%20OFFLINE%20list%20from%20%22%2C%20startHour%2C%22%20to%20%22%2C%20endHour%2C%22%20%3A%22%2CComputer)%2C%20ComputerEnvironment%0A%7C%20where%20isnotempty(LastCall)%0A%7C%20project%20Computer%20%2C%20LastCall%2C%20sComputer%0A%2F%2F%20Now%20join%20those%20excluded%20servers%20with%20the%20others...%20%20%20%0A%7C%20join%20kind%3D%20fullouter%20%20%0A%20(%0A%20%20%20%20Heartbeat%0A%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20startofday(ago(1d))%20%0A%20%20%20%20%7C%20where%20Computer%20!in%20(shutdownComputers)%20and%20Computer%20!in(excludeComputers)%0A%20%20%20%20%7C%20summarize%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20by%20Computer%0A%20)%20on%20Computer%0A%2F%2F%20This%20bit%20can%20probably%20be%20improved%20if%20I%20get%20time%20%20%0A%7C%20extend%20Computer%20%3D%20iif(isempty(Computer)%2CComputer1%2CComputer)%2C%0A%20%20%20%20%20%20%20%20%20LastCall%20%3D%20iif(isempty(LastCall)%2CLastCall1%2CLastCall)%0A%7C%20summarize%20by%20LastCall%2C%20Computer%2C%20sComputer%0A%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%2F%2F%20please%20add%20a%20list%20of%20your%20servers%20here%2C%20these%20ones%20are%20the%20ones%20that%20are%20*shutdown*%20overnight%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3Elet%20shutdownComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-1%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-2%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22rancher-node-3%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3E%2F%2F%20always%20exclude%20these%20computers%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3Elet%20excludeComputers%20%3D%20dynamic(%5B%3C%2FSPAN%3E%3CSPAN%3E%22demo1%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22demo2%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22demo3%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22node-4%22%3C%2FSPAN%3E%3CSPAN%3E%5D)%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E...%3C%2FP%3E%0A%3CP%3E...%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%20Heartbeat%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20TimeGenerated%20%26gt%3B%20startofday(ago(%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3Ed))%3C%2FSPAN%3E%20%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in%20(shutdownComputers)%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20!in(excludeComputers)%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3E%20%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20LastCall%20%3D%20arg_max(TimeGenerated%2C*)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20Computer%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1370242%22%20slang%3D%22en-US%22%3ERe%3A%20Machine%20not%20sedning%20pings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1370242%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks%20for%20all%20the%20help%20you%20gave%20me%20and%20keeping%20up%20with%20me%2C%20my%20query%20is%20finally%20working%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20it%20is%20doing%20the%20right%20thing%2C%20excluding%20those%20machines%20and%20I%20will%20see%20if%20I%20don't%20get%20alert%20tonight%20that%20means%20it%20is%20also%20avoiding%20the%20ones%20which%20shutdown%20at%20night%20at%2010%3A00%20pm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20described%20-%20let%20start%20%3DHour%26nbsp%3B%207%20when%20the%20machines%20are%20started%20and%2010%3A00pm%20when%20machines%20are%20stopped.%3C%2FP%3E%3CPRE%3Elet%20startHour%20%3D%2007%3B%20%20%20%2F%2F%207am%0Alet%20endHour%20%20%20%3D%2022%3B%20%20%20%2F%2F%2010pm%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20removed%20the%20last%20line%2C%20as%20it%20was%20used%20for%20testing%20the%20query%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%7C%20where%20LastCall%20%26lt%3B%20ago(10m)%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20finally%20getting%20the%20logic%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Kusto query 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment
| where LastCall < ago(10m

 

I need assistance with this query, I don't want to be reported for the following servers in not sending pings, those severs get shutdown at 10:00pm UK time and starts at 6:00am uk time.

 

I don't want those servers to be reported from 10:00pm to 6:00am, how can I amend my existing query and make this possible

25 Replies

@Arslan11 

 

Look out for a Blog post on KQL and Time from me on the Sentinel blog, hopefully later this week.  Here we get just the "hours" from the TimeGenerated and use that to say, I only want this period of Hours between 07am and 22pm.  Please remove the "hour" column when you are happy this works as expected. 

 

Heartbeat
| where TimeGenerated > ago(1d)
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
| where LastCall < ago(10m)
| order by hour asc 

   

@Clive WatsonThanks, you mentioned to remove the hour column, if I will do that, then the hour between will not work, or you want me to still remove it

 

 

Heartbeat
| where TimeGenerated > ago(1d)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
//| where Computer == "demo2"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour
| where LastCall < ago(10m)
| order by hour asc

 

@Arslan11 

 

Sorry I meant from the Summarize line (you do need it until then), summarize becomes this 

 

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

I just removed the ", hour" from the end of the line.

@Clive WatsonThanks, Heartbeat
| where TimeGenerated > ago(1d)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment,
| where LastCall < ago(10m)
| order by hour asc

 

I am getting, after I removed the hour, do I need to put the hour back ?

Query could not be parsed at '|' on line [8,0]

Token: |
Line: 8
Position: 0

 

@Clive WatsonI have amended by query

 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

removed the hour from the last line, is that what you were asking for

@Arslan11

 

That's correct syntax, it totally up to you to remove the Hour column (it's probably useful when building/testing the query but not after that); your choice.... 

 

If you think it may be useful in the future, you could also comment it out rather than remove it?

 

e.g. 

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment //, hour

@Clive Watsonjust to have better understanding on my logic.

 

why is it important to have the hour column, is it for testing purposes, when you want to see , which machines are not pinging in that hour and it will show the machines that are switched off, when testing the query

 

@Arslan11 

 

Just for testing, we create it here (line 1 below), in line 2 we use it to further filter the rows returned by the query - in this case those hours that start between 7am and 22pm. 

After that it isn't really needed in the display (optional).  I only added it to the summarise line, so I could check I'd done the query correctly.   You may like to keep it, to check I'm right? 

 

| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (07 .. 22)

@Clive WatsonThanks for the clarification, the query is working as expected 

 

Those machines turned off at 10:00pm and I didn't get machine not sending pings alerts.

 

I will keep the summarise line, for my members of team, if they will run the query , they will be able to see other machines apart from the machines that we do not want to be monitored between 6:00 am and 10:00pm

 

Final query

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk" and Computer == "NH-AAHW2.networkhg.org.uk" and Computer == "NH-ADAPPP-02.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment, hour

 

@Arslan11 

 

You can also write the query like this (removing lots of the 'and Computer ==')

 

This uses IN and !IN  (in, and 'not in') https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/inoperator

 

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer !in ("NH-CMVMAAZ.networkhg.org.uk","UAT-WVD-REL86-0.networkhg.org.uk")
| where Computer in ("NET-CCWALLBOARD.networkhg.org.uk","NET-FS3.networkhg.org.uk","NET-GISAPP1.networkhg.org.uk","NET-GISSQL1.networkhg.org.uk","NET-OVUAT2.networkhg.org.uk","NET-P2PTESTAPP1.networkhg.org.uk")
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment  //, hour

 

Other great Resources to read are:

 

Best practise: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices

Prefer using case-sensitive operators when applicable, as they are more performant. For example, prefer using == over =~in over in~, and contains_cs over contains (but if you can avoid contains/contains_cs altogether and use has/has_cs, that's even better).

 

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-optimization

@Clive Watson I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

 

I revert back to the old query, not using the in and !in

 

Arslan11_0-1588692074767.png

 

@Clive Watson 

 I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

 

I revert back to the old query, not using the in and !in

 

 

 

 

@Clive Watson  I tired this using the in and !in, I am afraid, it didn't work. You can see the results, is displaying the machines that are turned on.

I revert back to the old query, not using the in and !in

@Arslan11 

 

You said you had reverted, to not suing the IN and !in so I didn't reply again. Is the original query not working?

@Clive Watson I think the query isn't working properly because

 

Heartbeat  hour to monitor

| where TimeGenerated > ago(24h)

| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"

| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk"

| extend hour = datetime_part("hour", TimeGenerated)

| where hour between (07 .. 22)

| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment

 

 

Because I was wondering it has been two days and I haven't recived a single alert for machine not sending pings.

 

I run another query to see, if we had any machines that were not pinging and there is one at 8:00am, which I didn't got alert about

 

Arslan11_0-1588775638318.png

Can you please have a look at my query again

 

 

The screen shot shows two servers, one is at 8:56 is that the one, you say is 8am? If the query is working, it may be the Alert that isn't setup right? Is this an Azure Monitor alert?

@Clive Watson Not an alert, just a query that  I run to see if there were any machines that weren't sending the  pings , and one machine came up at this time.

 

Arslan11_0-1588780305176.png

Can you please have a look at this query again, I still want to be alerted about other machines which is not sending the pings,  expect the one's which get's turn off at 10:00 pm and turn back on at 6:00 am as shown in the query below, which you helped

 

Heartbeat existing query

Heartbeat
| where TimeGenerated > ago(24h)
| where Computer != "NH-CMVMAAZ.networkhg.org.uk" and Computer != "UAT-WVD-REL86-0.networkhg.org.uk"
| where Computer == "NET-CCWALLBOARD.networkhg.org.uk" and Computer == "NET-FS3.networkhg.org.uk" and Computer == "NET-GISAPP1.networkhg.org.uk" and Computer == "NET-GISSQL1.networkhg.org.uk" and Computer == "NET-OVUAT2.networkhg.org.uk" and Computer == "NET-P2PTESTAPP1.networkhg.org.uk" and Computer == "NH-AAHW2.networkhg.org.uk" and Computer == "NH-ADAPPP-02.networkhg.org.uk" and Computer == "VM-WVD-REL86-0.networkhg.org.uk" and Computer == "VM-WVD-REL86-1.networkhg.org.uk" and Computer == "VM-WVD-REL86-2.networkhg.org.uk" and Computer == "VM-WVD-REL86-3.networkhg.org.uk" and Computer == "VM-WVD-REL86-4.networkhg.org.uk"
| extend hour = datetime_part("hour", TimeGenerated)
| where hour between (06 .. 22)
| summarize LastCall = max(TimeGenerated) by Computer, ComputerEnvironment 

@Arslan11 

 

I think I'm understanding your requirements a bit more now.  This now does the work in two phases, the first part deals with the shutdown servers in the time windows you specified.  I then join those with all the other servers, to show the lastCall for both (but none of the ones in the shutdown window).   I that right?  Please test and adjust the KQL yourself to suit your expected outcome.   

 

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight
let shutdownComputers = dynamic(["rancher-node-1","rancher-node-2","rancher-node-3"]);
// config the hours to exclude
let startHour = 07;   // 7am
let endHour   = 22;   // 10pm
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1d)) 
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
            by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...   
| join kind= fullouter  
 (
    Heartbeat
    | where TimeGenerated > startofday(ago(1d)) 
    | where Computer !in (shutdownComputers)
    | summarize LastCall = arg_max(TimeGenerated,*) by Computer
 ) on Computer
// This bit can probably be improved if I get time  
| extend Computer = iif(isempty(Computer),Computer1,Computer),
         LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer

 

Go to Log Analytics and run query

 

@Clive Watson   I did query accroding to my need.

 

Still not working, please let me know, where I went wrong.

 

// please add a list of your servers here, these ones are the ones that are *shutdown* overnight

let shutdownComputers = dynamic(["NET-CCWALLBOARD.networkhg.org.uk","NET-FS3.networkhg.org.uk","NET-GISAPP1.networkhg.org.uk","NET-GISSQL1.networkhg.org.uk","NET-OVUAT2.networkhg.org.uk","NET-P2PTESTAPP1.networkhg.org.uk"]);
// config the hours to exclude
let startHour = 22;
let endHour = 06;
Heartbeat
// Get just the excluded Servers
| where TimeGenerated > startofday(ago(1d))
| where Computer in (shutdownComputers)
| summarize LastCall = arg_max( TimeGenerated, datetime_part("hour", TimeGenerated) between( startHour .. endHour) )
by Computer, sComputer = strcat("Computer in OFFLINE list from ", startHour," to ", endHour," :",Computer), ComputerEnvironment
| where isnotempty(LastCall)
| project Computer , LastCall, sComputer
// Now join those excluded servers with the others...
| join kind= fullouter
(
Heartbeat
| where TimeGenerated > startofday(ago(1d))
| where Computer !in (shutdownComputers)
| summarize LastCall = arg_max(TimeGenerated,*) by Computer
) on Computer
// This bit can probably be improved if I get time
| extend Computer = iif(isempty("NH-CMVMAAZ.networkhg.org),),
LastCall = iif(isempty(LastCall),LastCall1,LastCall)
| summarize by LastCall, Computer, sComputer