User Profile
lucajons1980
Copper Contributor
Joined Mar 22, 2019
User Widgets
Recent Discussions
Create alert when microsft third part service stopped and not return in the status started after 5 m
Hi, I want to create an alert when Microsoft services (3 parts) stopped and not return at started after 3 minutes. I read the precedent post (Monitoring Windows Services States with Log Analytics) and I've written this : Event | where Computer contains "BKE" | where EventLog == "Application" and Source == "BiTXRDeq" | sort by TimeGenerated desc If I start and stop service I see the different lines, but I don't know how to set an alert when service stopped and not return in the status started after 3/5 minutes. Can you help me ? Thanks10KViews0likes6CommentsRe: Create alert when microsft third part service stopped and not return in the status started after 5 m
CliveWatson I modified the query, in my log i write 'RenderedDescription' : Event | where TimeGenerated > ago(60m) | where Computer contains "BKE" | where EventLog == "Application" and EventLevelName == "Information" // look for STOPPED only // and EventID == 7036 and Source == "BiTXRDeq" // example of the xml: <Data Name="param1">WMI Performance Adapter</Data><Data Name="param2">running</Data><Binary>77006D006900410070005300720076002F0034000000</Binary></EventData></DataItem> | parse kind = relaxed EventData with *'<Data Name="param1">' Windows_Service_Name '</Data><Data Name="param2">' Windows_Service_State "</Data>" * | sort by TimeGenerated desc | project Computer, RenderedDescription, TimeGenerated Because if I use : | project Computer, Windows_Service_Name, Windows_Service_State, TimeGenerated I don't have any rows. I don't have Windows_Service_Name and Windows_Service_State compiled. Even with query modified the problem remaining because i've always 2 rows, one stop service and one start service. I did a restart service test and I 've 2 rows in event viewer; i think i need a query that discard this situation on restart service and notify me when I've only more stop that start in the same TimeGenerated . I hope explained better the situation thanks10KViews0likes1CommentRe: Create alert when microsft third part service stopped and not return in the status started after 5 m
Hi CliveWatson i read your URL but i have a different need. In the example : Event | where Computer contains "BKE02" | where EventLog == "Application" and Source == "BiTXRDeq" | where RenderedDescription has "stopped" | sort by TimeGenerated desc | summarize count() by Computer, RenderedDescription In the up query I have service with source =BiTXRDeq, when his stopped he send email alert; but i must excluded when the service restart and I've 2 event : stopped and started this service (with 1 minute difference). In 'creat rule' i can add only one log search (file image2). how I can do it ? regards10KViews0likes1Comment
Recent Blog Articles
No content to show