I am trying to write a query that shows me on which VM a service is not running.
The basic framework is quite easy to find on the net:
Event | where TimeGenerated >ago(1d) | where EventLog == "System" and EventID ==7036 and Source == "Service Control Manager" | parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'* | where Windows_Service_Name contains "choco". | sort by TimeGenerated desc | project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated
But now I want to display only the last state. (As you can see in the example, the service was stopped at first, but then started again). In this case I am only interested in the fact that the service is running again.