cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure monitor - prevent alarm on service restart

Mali_Stane
Copper Contributor

‎Feb 27 2024 12:24 AM

‎Feb 27 2024 12:24 AM

Azure monitor - prevent alarm on service restart

Hi,

A simple script is used, which works in the event that the service stops or that the service stops and starts.

Is there a possibility, or how to make a query so that the alarm is not triggered if the service is restarted and the restart take lets  say, 1 minute.

I don't mean maintenance here, because it can be done randomly when someone applied something…

 


Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "**********************"
| where RenderedDescription contains "The Windows Search service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated desc
| project Windows_Service_State

Labels:
258 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Mali_Stane (Copper Contributor)
Clive_Watson

‎Feb 27 2024 03:30 AM

‎Feb 27 2024 03:30 AM

Solution

Re: Azure monitor - prevent alarm on service restart

@Mali_Stane 

 

You can look to check the time difference between the states, something like this?

Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "--------------"
| where RenderedDescription contains "---------- service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated asc
| project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
| where diffinMinutes > 1

 

1 Like
Reply
Mali_Stane

‎Feb 27 2024 10:33 PM

‎Feb 27 2024 10:33 PM

Re: Azure monitor - prevent alarm on service restart

Thank you,
I will create a logic around it..
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Mali_Stane (Copper Contributor)
Clive_Watson

‎Feb 27 2024 03:30 AM

‎Feb 27 2024 03:30 AM

Solution

Re: Azure monitor - prevent alarm on service restart

@Mali_Stane 

 

You can look to check the time difference between the states, something like this?

Event
| where EventLog == 'System' and EventID ==7036 and Source == 'Service Control Manager'
| where Computer == "--------------"
| where RenderedDescription contains "---------- service entered"
| parse kind = relaxed EventData with *'</Data><Data Name="param2">' Windows_Service_State "</Data>" *
| sort by TimeGenerated asc
| project Windows_Service_State, TimeGenerated, diffinMinutes=datetime_diff('minute',TimeGenerated, prev(TimeGenerated))
| where diffinMinutes > 1

 

View solution in original post

1 Like
Reply