Dec 07 2021
- last edited on
Apr 08 2022
Looking for a KQL Query to create alert for W3WP worker process which keeps hanging after reaching certain CPU usage on our webservers, goal is to receive an alert is there are consecutive breach of set threshold on specific time schedule which will have our developers check if the process needs to be killed. I have searched a lot to get refined query but not successful any help or guidance would be much appreciated. Thanks.
For the CPU pinning on our ASP.Net services, we were looking for one of two queries:
Dec 13 2021 11:57 AM
anyone with help on this please, i am a bit lost with this.
followed below article to get list of all processes which are using CPU, need to single out pinned CPU for each W3WP process and if its usage does change during a period of change want that to be alerted.
Jan 06 2022 07:22 AM
I'm not sure how to look for Cores rather than CPUs, so this shows the % for the process. This is a query I use to detect the last 6 data points and if they are all above the threshold defined by maxVal you will see the servers listed. I left a last line in but commented out, as that allows you to test for an OR condition (where any of the final 6 data points are above the threshold).
You can amend line #8 if you want more or less data points
let procName = 'w3wp'; let maxVal = 150; Perf | where TimeGenerated >= ago(1d) | where CounterName == "% Processor Time" and InstanceName ==procName | make-series processCpuPct = max(CounterValue) on TimeGenerated from ago(1d) to now() step 1h by Computer | where processCpuPct[-1] > maxVal and processCpuPct[-2] > maxVal and processCpuPct[-3] > maxVal and processCpuPct[-4] > maxVal and processCpuPct[-5] > maxVal and processCpuPct[-6] > maxVal //| where processCpuPct[-1] > maxVal or processCpuPct[-2] > maxVal or processCpuPct[-3] > maxVal or processCpuPct[-4] > maxVal or processCpuPct[-5] > maxVal or processCpuPct[-6] > maxVal