Hi Experts,
I have a big concern after when a VM get rebooted and I haven't found any alert through ALA alert.
Let me shed some background behind the scenes.
Generally we have 60 heartbeat for every VMs but I have received 59 heartbeat for one VM and checked that was rebooted but I have not received any alert.
Have a look on below data, where we could see in first column everything is fine but column 2 and 3 has one missing heartbeat.
| TimeGenerated | TimeGenerated | TimeGenerated |
| 2019-09-27T10:00:39 | 2019-09-27T16:00:06 | 2019-09-27T17:00:01 |
| 2019-09-27T10:01:39 | 2019-09-27T16:01:06 | 2019-09-27T17:01:01 |
| 2019-09-27T10:02:39 | 2019-09-27T16:02:06 | 2019-09-27T17:02:01 |
| 2019-09-27T10:03:39 | 2019-09-27T16:03:06 | 2019-09-27T17:03:01 |
| 2019-09-27T10:04:39 | 2019-09-27T16:04:06 | 2019-09-27T17:04:06 |
| 2019-09-27T10:05:39 | 2019-09-27T16:05:06 | 2019-09-27T17:05:06 |
| 2019-09-27T10:06:39 | 2019-09-27T16:06:06 | 2019-09-27T17:06:06 |
| 2019-09-27T10:07:40 | 2019-09-27T16:07:06 | 2019-09-27T17:07:06 |
| 2019-09-27T10:08:40 | 2019-09-27T16:08:06 | 2019-09-27T17:08:11 |
| 2019-09-27T10:09:40 | 2019-09-27T16:09:06 | 2019-09-27T17:09:11 |
| 2019-09-27T10:10:40 | 2019-09-27T16:10:06 | 2019-09-27T17:10:11 |
| 2019-09-27T10:11:40 | 2019-09-27T16:11:06 | 2019-09-27T17:11:11 |
| 2019-09-27T10:12:40 | 2019-09-27T16:12:11 | 2019-09-27T17:12:16 |
| 2019-09-27T10:13:40 | 2019-09-27T16:13:11 | 2019-09-27T17:13:16 |
| 2019-09-27T10:14:40 | 2019-09-27T16:14:11 | 2019-09-27T17:14:16 |
| 2019-09-27T10:15:40 | 2019-09-27T16:15:11 | 2019-09-27T17:15:16 |
| 2019-09-27T10:16:40 | 2019-09-27T16:16:16 | 2019-09-27T17:16:21 |
| 2019-09-27T10:17:40 | 2019-09-27T16:17:16 | 2019-09-27T17:17:21 |
| 2019-09-27T10:18:40 | 2019-09-27T16:18:16 | 2019-09-27T17:18:21 |
| 2019-09-27T10:19:40 | 2019-09-27T16:19:16 | 2019-09-27T17:19:21 |
| 2019-09-27T10:20:40 | 2019-09-27T16:20:21 | 2019-09-27T17:20:26 |
| 2019-09-27T10:21:40 | 2019-09-27T16:21:21 | 2019-09-27T17:21:26 |
| 2019-09-27T10:22:40 | 2019-09-27T16:22:21 | 2019-09-27T17:22:26 |
| 2019-09-27T10:23:40 | 2019-09-27T16:23:21 | 2019-09-27T17:23:26 |
| 2019-09-27T10:24:40 | 2019-09-27T16:24:26 | 2019-09-27T17:24:31 |
| 2019-09-27T10:25:40 | 2019-09-27T16:25:26 | 2019-09-27T17:25:31 |
| 2019-09-27T10:26:40 | 2019-09-27T16:26:26 | 2019-09-27T17:26:31 |
| 2019-09-27T10:27:40 | 2019-09-27T16:27:26 | 2019-09-27T17:27:31 |
| 2019-09-27T10:28:40 | 2019-09-27T16:28:26 | 2019-09-27T17:28:36 |
| 2019-09-27T10:29:40 | 2019-09-27T16:29:26 | 2019-09-27T17:29:36 |
| 2019-09-27T10:30:40 | 2019-09-27T16:30:26 | 2019-09-27T17:30:36 |
| 2019-09-27T10:31:40 | 2019-09-27T16:31:26 | 2019-09-27T17:31:36 |
| 2019-09-27T10:32:40 | 2019-09-27T16:32:26 | 2019-09-27T17:32:41 |
| 2019-09-27T10:33:40 | 2019-09-27T16:33:26 | 2019-09-27T17:33:41 |
| 2019-09-27T10:34:40 | 2019-09-27T16:34:26 | 2019-09-27T17:34:41 |
| 2019-09-27T10:35:40 | 2019-09-27T16:35:31 | 2019-09-27T17:35:41 |
| 2019-09-27T10:36:40 | 2019-09-27T16:36:31 | 2019-09-27T17:36:46 |
| 2019-09-27T10:37:40 | 2019-09-27T16:37:31 | 2019-09-27T17:37:46 |
| 2019-09-27T10:38:40 | 2019-09-27T16:38:31 | 2019-09-27T17:38:46 |
| 2019-09-27T10:39:40 | 2019-09-27T16:39:36 | 2019-09-27T17:39:46 |
| 2019-09-27T10:40:40 | 2019-09-27T16:40:36 | 2019-09-27T17:40:51 |
| 2019-09-27T10:41:40 | 2019-09-27T16:41:36 | 2019-09-27T17:41:51 |
| 2019-09-27T10:42:40 | 2019-09-27T16:42:36 | 2019-09-27T17:42:51 |
| 2019-09-27T10:43:40 | 2019-09-27T16:43:41 | 2019-09-27T17:43:51 |
| 2019-09-27T10:44:40 | 2019-09-27T16:44:41 | 2019-09-27T17:44:56 |
| 2019-09-27T10:45:40 | 2019-09-27T16:45:41 | 2019-09-27T17:45:56 |
| 2019-09-27T10:46:40 | 2019-09-27T16:46:41 | 2019-09-27T17:46:56 |
| 2019-09-27T10:47:40 | 2019-09-27T16:47:46 | 2019-09-27T17:47:56 |
| 2019-09-27T10:48:40 | 2019-09-27T16:48:46 | 2019-09-27T17:48:56 |
| 2019-09-27T10:49:40 | 2019-09-27T16:49:46 | 2019-09-27T17:49:56 |
| 2019-09-27T10:50:40 | 2019-09-27T16:50:46 | 2019-09-27T17:50:56 |
| 2019-09-27T10:51:40 | 2019-09-27T16:51:51 | 2019-09-27T17:51:56 |
| 2019-09-27T10:52:40 | 2019-09-27T16:52:51 | 2019-09-27T17:52:56 |
| 2019-09-27T10:53:41 | 2019-09-27T16:53:51 | 2019-09-27T17:53:56 |
| 2019-09-27T10:54:41 | 2019-09-27T16:54:51 | 2019-09-27T17:54:56 |
| 2019-09-27T10:55:41 | 2019-09-27T16:55:56 | Data for 55 is missing |
| 2019-09-27T10:56:41 | 2019-09-27T16:56:56 | 2019-09-27T17:56:01 |
| 2019-09-27T10:57:41 | 2019-09-27T16:57:56 | 2019-09-27T17:57:01 |
| 2019-09-27T10:58:41 | 2019-09-27T16:58:56 | 2019-09-27T17:58:01 |
| 2019-09-27T10:59:41 | Data for 59 is missing | 2019-09-27T17:59:01 |
Used query to get this data: -
Heartbeat
| where TimeGenerated >= ago(48h)
| where Computer contains "server name"
| distinct TimeGenerated, Computer
| sort by TimeGenerated asc
And I am using below query and samples to trigger on heartbeat, please check and let me know what i need to modify to have an alert whenever any heartbeat gets missed.
Query Using in Alert: -
Heartbeat
| summarize LastCall = max(TimeGenerated) by Computer
| extend AggregatedValue = LastCall
| where LastCall < ago(5m)
Alert Logic
Number of Result Greater Then 0
Evaluated based on
Period 1440
Frequency 1440
Thanks for the help :)
