cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log Analystics Query for VMProcess Stopped

Gopi K
Copper Contributor

‎May 17 2021 07:50 AM - last edited on ‎Apr 08 2022 10:47 AM by

‎May 17 2021 07:50 AM - last edited on ‎Apr 08 2022 10:47 AM by

Log Analystics Query for VMProcess Stopped

Hi, 

 

I need to setup the alert rule for specific VMProcess is stopped.

 

Earlier , we used  set the query using ConfigurationChange Table . 

 

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"

Labels:
559 Views
0 Likes
1 Reply
Reply
1 Reply
CliveWatson

‎May 25 2021 07:13 AM

‎May 25 2021 07:13 AM

Re: Log Analystics Query for VMProcess Stopped

You probably only need to look at the last row/record that matches the ServiceName and State

ConfigurationChange
| where ConfigChangeType == "WindowsServices" and SvcState == "Stopped"
| sort by TimeGenerated desc
| where Computer == "PRODWIN1234"
| where SvcDisplayName == "WMI Performance Adapter"
| summarize arg_max(TimeGenerated,*)
0 Likes
Reply