Forum Discussion
Need query for Getting the Status of a particular app pool in IIS
Hi,
Can you share the query to identify when a particular IIS application pool stopped/crashed via Log Analytics.
Thanks
RC
Ah ok, so this is for an Alert. in that case, you always put the Time filter as part of the Alert form, not in the query, so I commented that line out.
I added a line to check for "5186" events and 'shutdown' However you will need to find the right EventIDs and txt (maybe you don't need the txt?). I only have 5186 events, so don't know the right IDs.
I then created value for the output = 1 (success). So you can now tell the Alert to fire when the value is > zero.
Event //| where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | where RenderedDescription has "shutdown " and EventID =="5186" | extend AggregatedValue =1 //| summarize by AppPoolName, EventID, RenderedDescription, Computer
Mock Alert config. Where AggregatedValue > 0 (zero) - as this should be "1" if the query finds a match.
Look back 24hrs(1440mins - which is the max) and poll every 15mins - adjust these values to suit.
8 Replies
You should hopefully have EventIDs that match what you are looking for in your logs.
I'd run this, to see which Event Id's you have
Event | where TimeGenerated > ago(30d) | search "application pool" | summarize count() by EventID
You can then check the 'RenderedDescription' to see which ones are stop/start or other events
Event | where TimeGenerated > ago(30d) | search "application pool" | summarize count() by EventID, RenderedDescription
I have a few App Pools, but not a lot of data, a query like this would get the info from the past 60 days - I don't think that is an extensive list of Event IDs, but a base to start from. If you don't have any in your logs, then look online. 60days is my value, edit it to provide the best criteria for your search..
Event | where TimeGenerated > ago(60d) | where EventID in (5186, 5080 , 5079, 5074, 5076, 5189, 503) | summarize count() by EventID
You can get the App Pool Name, by parsing RenderedDescription like this
Event | where TimeGenerated > ago(60d) | parse RenderedDescription with *"serving application pool '" AppPoolName "' was"* // parse the filed for the pool name | where AppPoolName == "DefaultAppPool" // only show where the pool name matches | summarize count() by AppPoolName
I hope this is good start...
I got this query ....but unable to figure out when it stopped or started.
Event
| where Computer contains "XXXXX"
| where EventLog == "System" and Source == "Microsoft-Windows-WAS"
| parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" *
| where AppPoolName == "XXXXXX"
| summarize by AppPoolName, EventID, RenderedDescription, Computer
//| summarize by AppPoolName, EventIDthis would show the time of the event?
Event | where TimeGenerated > ago(60d) //| where Computer contains "XXXXX" | where EventLog == "System" and Source == "Microsoft-Windows-WAS" | parse ParameterXml with * "</Param><Param>" AppPoolName "</Param><Param>" * | where AppPoolName == "DefaultAppPool" | summarize by TimeGenerated, AppPoolName, EventID, RenderedDescription, Computer
