SOLVED

Need query for Getting the Status of a particular app pool in IIS

%3CLINGO-SUB%20id%3D%22lingo-sub-500038%22%20slang%3D%22en-US%22%3ENeed%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500038%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20share%20the%20query%20to%20identify%20when%20a%20particular%20IIS%20application%20pool%20stopped%2Fcrashed%20via%20Log%20Analytics.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3CP%3ERC%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-500038%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500172%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500172%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20hopefully%20have%20EventIDs%20that%20match%20what%20you%20are%20looking%20for%20in%20your%20logs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'd%20run%20this%2C%20to%20see%20which%20Event%20Id's%20you%20have%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(30d)%0A%7C%20search%20%22application%20pool%22%0A%7C%20summarize%20count()%20by%20EventID%3C%2FPRE%3E%0A%3CP%3EYou%20can%20then%20check%20the%20'%3CSTRONG%3ERenderedDescription%3C%2FSTRONG%3E'%20to%20see%20which%20ones%20are%20stop%2Fstart%20or%20other%20events%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(30d)%0A%7C%20search%20%22application%20pool%22%0A%7C%20summarize%20count()%20by%20EventID%2C%20%3CSTRONG%3ERenderedDescription%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3EI%20have%20a%20few%20App%20Pools%2C%20but%20not%20a%20lot%20of%20data%2C%20a%20query%20like%20this%20would%20get%20the%20info%20from%20the%20past%2060%20days%20-%20I%20don't%20think%20that%20is%20an%20extensive%20list%20of%20Event%20IDs%2C%20but%20a%20base%20to%20start%20from.%26nbsp%3B%20If%20you%20don't%20have%20any%20in%20your%20logs%2C%20then%20look%20online.%26nbsp%3B%2060days%20is%20my%20value%2C%20edit%20it%20to%20provide%20the%20best%20criteria%20for%20your%20search..%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%7C%20where%20EventID%20in%20(5186%2C%205080%20%2C%205079%2C%205074%2C%205076%2C%205189%2C%20503)%0A%7C%20summarize%20count()%20by%20%20EventID%3C%2FPRE%3E%0A%3CP%3EYou%20can%20get%20the%20App%20Pool%20Name%2C%26nbsp%3B%20by%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2Fparseoperator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eparsing%3C%2FA%3E%20RenderedDescription%20like%20this%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%7C%20parse%20RenderedDescription%20with%20*%22serving%20application%20pool%20'%22%20AppPoolName%20%22'%20was%22*%20%20%20%2F%2F%20parse%20the%20filed%20for%20the%20pool%20name%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%20%20%20%2F%2F%20only%20show%20where%20the%20pool%20name%20matches%0A%7C%20summarize%20count()%20by%20AppPoolName%20%20%3C%2FPRE%3E%0A%3CP%3EI%20hope%20this%20is%20good%20start...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500206%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20this%20query%20....but%20unable%20to%20figure%20out%20when%20it%20stopped%20or%20started.%3C%2FP%3E%3CP%3EEvent%3CBR%20%2F%3E%7C%20where%20Computer%20contains%20%22XXXXX%22%3CBR%20%2F%3E%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%3CBR%20%2F%3E%7C%20parse%20ParameterXml%20with%20*%20%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%20AppPoolName%20%22%3CPARAM%20%2F%3E%22%20*%3CBR%20%2F%3E%7C%20where%20AppPoolName%20%3D%3D%20%22XXXXXX%22%3CBR%20%2F%3E%7C%20summarize%20by%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3CBR%20%2F%3E%2F%2F%7C%20summarize%20by%20AppPoolName%2C%20%3CA%20title%3D%22EventID%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EEventID%3C%2FA%3E%3C%2FOBJECT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500354%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500354%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethis%20would%20show%20the%20time%20of%20the%20event%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%2F%2F%7C%20where%20Computer%20contains%20%22XXXXX%22%0A%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%0A%7C%20parse%20ParameterXml%20with%20*%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20AppPoolName%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20*%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%0A%7C%20summarize%20by%20TimeGenerated%2C%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110982i09AD53102337E6B1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-04-29%20174238.jpg%22%20title%3D%22Annotation%202019-04-29%20174238.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500712%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500712%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20dont%20need%20the%20time...basically%20trying%20to%20create%20an%20log%20search%20alert%20...so%20that%20we%20know%20when%20the%20app%20pool%20stopped%20or%20crashed.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500991%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500991%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3ERCDevops777%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAh%20ok%2C%20so%20this%20is%20for%20an%20Alert.%26nbsp%3B%20in%20that%20case%2C%20you%20always%20put%20the%20Time%20filter%20as%20part%20of%20the%20Alert%20form%2C%20not%20in%20the%20query%2C%20so%20I%20commented%20that%20line%20out.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20added%20a%20line%20to%20check%20for%20%225186%22%20events%20and%20'shutdown'%20%3CU%3E%3CSTRONG%3EHowever%3C%2FSTRONG%3E%20%3C%2FU%3Eyou%20will%20need%20to%20find%20the%20%3CU%3E%3CSTRONG%3Eright%3C%2FSTRONG%3E%20%3C%2FU%3EEventIDs%20and%20txt%20(maybe%20you%20don't%20need%20the%20txt%3F).%26nbsp%3B%20I%20only%20have%205186%20events%2C%20so%20don't%20know%20the%20right%20IDs.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20then%20created%20value%20for%20the%20output%20%3D%201%20(success).%26nbsp%3B%20So%20you%20can%20now%20tell%20the%20Alert%20to%20fire%20when%20the%20value%20is%20%26gt%3B%20zero.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEvent%0A%2F%2F%7C%20where%20TimeGenerated%20%26gt%3B%20ago(60d)%0A%2F%2F%7C%20where%20Computer%20contains%20%22XXXXX%22%0A%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20Source%20%3D%3D%20%22Microsoft-Windows-WAS%22%0A%7C%20parse%20ParameterXml%20with%20*%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20AppPoolName%20%22%26lt%3B%2FParam%26gt%3B%26lt%3BParam%26gt%3B%22%20*%0A%7C%20where%20AppPoolName%20%3D%3D%20%22DefaultAppPool%22%0A%7C%20where%20RenderedDescription%20has%20%22shutdown%20%22%20and%20EventID%20%3D%3D%225186%22%0A%7C%20extend%20AggregatedValue%20%3D1%20%0A%2F%2F%7C%20summarize%20by%20AppPoolName%2C%20EventID%2C%20RenderedDescription%2C%20Computer%3C%2FPRE%3E%0A%3CP%3EMock%20Alert%20config.%26nbsp%3B%20Where%20AggregatedValue%20%26gt%3B%200%20(zero)%20-%20as%20this%20should%20be%20%221%22%20if%20the%20query%20finds%20a%20match.%3CBR%20%2F%3ELook%20back%2024hrs(1440mins%20-%20which%20is%20the%20max)%20and%20poll%20every%2015mins%20-%20adjust%20these%20values%20to%20suit.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20828px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111000i1FC536AA9F23E078%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-04-29%20212318.jpg%22%20title%3D%22Annotation%202019-04-29%20212318.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-505544%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-505544%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThanks%20for%20helping%20me%20with%20this...i%20see%20that%20you%20got%20this%20working%20with%20rendered%20description%20as%20%22shutdown%22%20....one%20thing%20i%20am%20noticing%20is%20i%20dont%20see%20any%20entries%20with%20shutdown%20...but%20i%20see%20with%20rendered%20description%20%22%3CSPAN%3Ehas%20requested%20a%20recycle%22.%26nbsp%3B%20I%20have%20set%20the%20alert%20with%20this%20description...but%20looks%20like%20the%20user%20needs%20to%20know%20when%20it%20stopped%20and%20started%20instead%20of%20recycle.%20Need%20to%20check%20more%20on%20this.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-505568%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20query%20for%20Getting%20the%20Status%20of%20a%20particular%20app%20pool%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-505568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272206%22%20target%3D%22_blank%22%3E%40RCDevops777%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESounds%20like%20we%20are%20nearly%20done.%26nbsp%3B%20I%20did%20mention%20I%20used%20'Shutdown'%20as%20a%20test%20bit%20of%20text.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20you'll%20be%20able%20to%20spot%20a%20real%20%22stopped%22%20event%20soon%2C%20and%20get%20the%20real%20EventID%20%23%20and%2For%20correct%20text%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

Can you share the query to identify when a particular IIS application pool stopped/crashed via Log Analytics. 

 

Thanks 

RC 

7 Replies
Highlighted

@RCDevops777 

 

You should hopefully have EventIDs that match what you are looking for in your logs.

 

I'd run this, to see which Event Id's you have

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID

You can then check the 'RenderedDescription' to see which ones are stop/start or other events 

 

Event
| where TimeGenerated > ago(30d)
| search "application pool"
| summarize count() by EventID, RenderedDescription

I have a few App Pools, but not a lot of data, a query like this would get the info from the past 60 days - I don't think that is an extensive list of Event IDs, but a base to start from.  If you don't have any in your logs, then look online.  60days is my value, edit it to provide the best criteria for your search..

Event
| where TimeGenerated > ago(60d)
| where EventID in (5186, 5080 , 5079, 5074, 5076, 5189, 503)
| summarize count() by  EventID

You can get the App Pool Name,  by parsing RenderedDescription like this

Event
| where TimeGenerated > ago(60d)
| parse RenderedDescription with *"serving application pool '" AppPoolName "' was"*   // parse the filed for the pool name
| where AppPoolName == "DefaultAppPool"   // only show where the pool name matches
| summarize count() by AppPoolName  

I hope this is good start...

 

Highlighted

I got this query ....but unable to figure out when it stopped or started.

Event
| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "XXXXXX"
| summarize by AppPoolName, EventID, RenderedDescription, Computer
//| summarize by AppPoolName, EventID

Highlighted

@RCDevops777 

 

this would show the time of the event?

 

Event
| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| summarize by TimeGenerated, AppPoolName, EventID, RenderedDescription, Computer

Annotation 2019-04-29 174238.jpg

Highlighted

@Clive Watson 

 

I dont need the time...basically trying to create an log search alert ...so that we know when the app pool stopped or crashed.  

Highlighted
Best Response confirmed by RCDevops777 (Occasional Contributor)
Solution

@RCDevops777

 

Ah ok, so this is for an Alert.  in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.  

 

I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?).  I only have 5186 events, so don't know the right IDs. 

 

I then created value for the output = 1 (success).  So you can now tell the Alert to fire when the value is > zero.

 

Event
//| where TimeGenerated > ago(60d)
//| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "DefaultAppPool"
| where RenderedDescription has "shutdown " and EventID =="5186"
| extend AggregatedValue =1 
//| summarize by AppPoolName, EventID, RenderedDescription, Computer

Mock Alert config.  Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.

Annotation 2019-04-29 212318.jpg

 

Highlighted

@Clive Watson Thanks for helping me with this...i see that you got this working with rendered description as "shutdown" ....one thing i am noticing is i dont see any entries with shutdown ...but i see with rendered description "has requested a recycle".  I have set the alert with this description...but looks like the user needs to know when it stopped and started instead of recycle. Need to check more on this.

Highlighted

@RCDevops777 

 

Sounds like we are nearly done.  I did mention I used 'Shutdown' as a test bit of text.

 

Hopefully you'll be able to spot a real "stopped" event soon, and get the real EventID # and/or correct text

 

:)