SOLVED

Show only last status of a service

%3CLINGO-SUB%20id%3D%22lingo-sub-2984354%22%20slang%3D%22de-DE%22%3EShow%20only%20last%20status%20of%20a%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2984354%22%20slang%3D%22de-DE%22%3E%3CP%3EI%20am%20trying%20to%20write%20a%20query%20that%20shows%20me%20on%20which%20VM%20a%20service%20is%20not%20running.%3C%2FP%3E%3CP%3EThe%20basic%20framework%20is%20quite%20easy%20to%20find%20on%20the%20net%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEvent%20%3CBR%20%2F%3E%20%7C%20where%20TimeGenerated%20%26gt%3Bago(1d)%20%3CBR%20%2F%3E%20%7C%20where%20EventLog%20%3D%3D%20%22System%22%20and%20EventID%20%3D%3D7036%20and%20Source%20%3D%3D%20%22Service%20Control%20Manager%22%20%3CBR%20%2F%3E%20%7C%20parse%20kind%3Drelaxed%20EventData%20with%20*%3CDATA%20name%3D%22%26quot%3Bparam1%26quot%3B%22%3E'%20Windows_Service_Name%20'%3C%2FDATA%3E'%3CDATA%20name%3D%22%26quot%3Bparam2%26quot%3B%22%3EWindows_Service_State%20'%3C%2FDATA%3E'*%20%7C%20where%20%3CBR%20%2F%3E%20Windows_Service_Name%20contains%20%22choco%22.%20%3CBR%20%2F%3E%20%7C%20sort%20by%20TimeGenerated%20desc%20%3CBR%20%2F%3E%20%7C%20project%20Computer%2C%20Windows_Service_Name%2C%20Windows_Service_State%2C%20TimeGenerated%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-11-19_10h33_43.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328143iB76F10D6416FBCF6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%222021-11-19_10h33_43.png%22%20alt%3D%222021-11-19_10h33_43.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20now%20I%20want%20to%20display%20only%20the%20last%20state.%20(As%20you%20can%20see%20in%20the%20example%2C%20the%20service%20was%20stopped%20at%20first%2C%20but%20then%20started%20again).%3CBR%20%2F%3EIn%20this%20case%20I%20am%20only%20interested%20in%20the%20fact%20that%20the%20service%20is%20running%20again.%3C%2FP%3E%3CP%3EBut%20I%20can't%20do%20this%20with%20the%20summarize.%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2992486%22%20slang%3D%22en-US%22%3ERe%3A%20Show%20only%20last%20status%20of%20a%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2992486%22%20slang%3D%22en-US%22%3EYou%20can%20use%20arg_max()%20-%20simplified%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EEvent%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3Bago(1d)%3CBR%20%2F%3E%7C%20where%20EventLog%20%3D%3D%20%22System%22%3CBR%20%2F%3E%7C%20summarize%20arg_max(TimeGenerated%2C%20EventID%2C%20Computer)%3C%2FLINGO-BODY%3E
Occasional Contributor

I am trying to write a query that shows me on which VM a service is not running.

The basic framework is quite easy to find on the net:

 

Event
| where TimeGenerated >ago(1d)
| where EventLog == "System" and EventID ==7036 and Source == "Service Control Manager"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'*
| where Windows_Service_Name contains "choco".
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

 

2021-11-19_10h33_43.png

 

But now I want to display only the last state. (As you can see in the example, the service was stopped at first, but then started again).
In this case I am only interested in the fact that the service is running again.

But I can't do this with the summarize.

1 Reply
best response confirmed by Jan_F1801 (Occasional Contributor)
Solution
You can use arg_max() - simplified example:


Event
| where TimeGenerated >ago(1d)
| where EventLog == "System"
| summarize arg_max(TimeGenerated, EventID, Computer)