Query to Create Alert for W3WP process

New Contributor

Hi,

Looking for a KQL Query to create alert for W3WP worker process which keeps hanging after reaching certain CPU usage on our webservers, goal is to receive an alert is there are consecutive breach of set threshold on specific time schedule which will have our developers check if the process needs to be killed. I have searched a lot to get refined query but not successful any help or guidance would be much appreciated. Thanks. 

 

For the CPU pinning on our ASP.Net services, we were looking for one of two queries:

  • If multiple consecutive total CPU utilization readings is within a rough threshold of 1 core fully consumed (e.g. 2 vCPU total = 50%, 4 vCPU = 25%).
  • If we can log CPU utilization for a specific process name (e.g. via performance counters), then log when just that one process name is within that single pinned core threshold for a few consecutive readings.
2 Replies

anyone with help on this please, i am a bit lost with this.

followed below article to get list of all processes which are using CPU, need to single out pinned CPU for each W3WP process and if its usage does change during a period of change want that to be alerted.

 

https://www.cloudsma.com/2018/07/cpu-processes-azure-log-analytics/

 

Regards,

Satish

@Satishms 

 

I'm not sure how to look for Cores rather than CPUs, so this shows the % for the process.  This is a query I use to detect the last 6 data points and if they are all above the threshold defined by maxVal you will see the servers listed.  I left a last line in but commented out, as that allows you to test for an OR condition (where any of the final 6 data points are above the threshold). 
You can amend line #8 if you want more or less data points

 

let procName = 'w3wp';
let maxVal = 150;
Perf 
| where TimeGenerated >= ago(1d)
| where CounterName == "% Processor Time"
        and InstanceName ==procName
| make-series processCpuPct = max(CounterValue)  on TimeGenerated from ago(1d) to now()  step 1h by Computer 
| where processCpuPct[-1] > maxVal and processCpuPct[-2] > maxVal and processCpuPct[-3] > maxVal and processCpuPct[-4] > maxVal and processCpuPct[-5] > maxVal  and processCpuPct[-6] > maxVal
//| where processCpuPct[-1] > maxVal or processCpuPct[-2] > maxVal or processCpuPct[-3] > maxVal or processCpuPct[-4] > maxVal or processCpuPct[-5] > maxVal or processCpuPct[-6] > maxVal

  I