Hi ,

This discussion is continuous of this .

I have a two nodes that run a Windows Service.  By default, the service is only up on one node at a time.  I need to create an alert when the service is down on both nodes.  Anyone know how to do that?

Below query which I have got from previous discussion is working while executing in log analytics workspace logs. but from Alert custom log query it gives different result .Is it  because alert choose different time frames even though the query says to check log for last 30 days ?

let status =
Event
| where TimeGenerated > ago(30d)
| where EventLog == 'System' and EventID == 7036 and Source == 'Service Control Manager' and RenderedDescription has "PowerCurve - Job Server"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>' *
| summarize (TimeGenerated, winstatus) = arg_max(TimeGenerated, Windows_Service_State) by Windows_Service_Name, Computer;
status
| extend winstatus = iif(winstatus == 'running', 1, 0)
| summarize sumif(winstatus, winstatus > 0), ComputersOK = make_set_if(Computer, winstatus > 0), ComputerNotOk = make_set_if(Computer, winstatus == 0)
| extend ServiceStatus = iif(sumif_winstatus > 0, "The service is running"," The Service is not running")
| where sumif_winstatus == 0
| project sumif_winstatus, ComputerNotOk, ComputersOK

if no. of result is  > 0 then an alert will be triggered.  but the same query returns results from  alert fired and returns null when it executed from log analytics workspace.

Could someone help to address this issue ?

Regards,

Racheal