cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Show only last status of a service

Jan_F1801
Occasional Contributor

‎Nov 19 2021 01:42 AM - last edited on ‎Apr 08 2022 10:57 AM by

‎Nov 19 2021 01:42 AM - last edited on ‎Apr 08 2022 10:57 AM by

Show only last status of a service

I am trying to write a query that shows me on which VM a service is not running.

The basic framework is quite easy to find on the net:

 

Event
| where TimeGenerated >ago(1d)
| where EventLog == "System" and EventID ==7036 and Source == "Service Control Manager"
| parse kind=relaxed EventData with * '<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State '</Data>'*
| where Windows_Service_Name contains "choco".
| sort by TimeGenerated desc
| project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated

 

2021-11-19_10h33_43.png

 

But now I want to display only the last state. (As you can see in the example, the service was stopped at first, but then started again).
In this case I am only interested in the fact that the service is running again.

But I can't do this with the summarize.

Labels:
410 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Jan_F1801 (Occasional Contributor)
Clive_Watson

‎Nov 22 2021 03:01 AM

‎Nov 22 2021 03:01 AM

Solution

Re: Show only last status of a service

You can use arg_max() - simplified example:


Event
| where TimeGenerated >ago(1d)
| where EventLog == "System"
| summarize arg_max(TimeGenerated, EventID, Computer)
0 Likes
Reply