cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Need a query for OMS agents NOT sending logs in the past 24 hours.

bobsyouruncle
Frequent Contributor

‎Mar 14 2021 09:29 AM - edited ‎Mar 14 2021 05:41 PM

‎Mar 14 2021 09:29 AM - edited ‎Mar 14 2021 05:41 PM

Need a query for OMS agents NOT sending logs in the past 24 hours.

Hi there,

I have a watchlist of my oms agents.

I'd like to use DeviceProcessEvents to list agents that have NOT reported any processes in the past 24 hours.

I don't want to use the Heartbeat table for this.

I'm looking for agents that are possibly still sending heartbeats but they're 'unhooked' from memory, so they're blind to most processes.

eg:

let watchlist = (_GetWatchlist('OMSagents')|project Computer);
DeviceProcessEvents
|where DeviceName in (watchlist)
|summarize max(TimeGenerated) by DeviceName
|where max_TimeGenerated < now(-7d)

So the above query works, but only if all sensors in the list have logs in DeviceProcessEvents in the past 7 days.

Thank you in advance for your feedback.

542 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by bobsyouruncle (Frequent Contributor)
Gary Bushey

‎Mar 15 2021 05:57 AM

‎Mar 15 2021 05:57 AM

Solution

Re: Need a query for OMS agents NOT sending logs in the past 24 hours.

@bobsyouruncle The main problem is that you won't know if one is missing unless it has sent data in the past.  So no matter whether you choose 7, 14, or 90 days, if the device has never sent data you won't know about it.

 

I would do a comparison with the Heartbeat table and see if the devices that are not sending data show up more in there and if so do a join with that table to get a listing of the server and see if they show up in the DeviceProcessEvents table.

1 Like
Reply
bobsyouruncle

‎Mar 19 2021 09:10 PM

‎Mar 19 2021 09:10 PM

Re: Need a query for OMS agents NOT sending logs in the past 24 hours.

you're correct Gary, thanks, I hadn't thought it through all the way.
much appreciated!
0 Likes
Reply