Jun 01 2021
- last edited on
Apr 08 2022
I'm working on a query to create an alert when a VM has been up and running for more the 8 hours.
I'm trying to achieve that using the Heartbeat. My idea is to have a query that validates that the heartbeat was reported for 8 hours straight .
I have started working on the below query that gives me the time difference between the first and the last heartbeat on the last 8 hours.
How can I query for the heartbeat on 8hours straight?
//Calculate VM total time available on the past 8H
| where TimeGenerated > ago(8h)
| summarize LastHeartbeat=max(TimeGenerated), OldestHeartbeat=min(TimeGenerated) by Computer
// Total time Available/Hours
| extend TotalHoursAvailable = (datetime_diff('hour', LastHeartbeat, OldestHeartbeat))
| where TotalHoursAvailable > 7
Jun 02 2021 08:25 AM
Jun 03 2021 04:02 AM
@Seshadrr That query only shows the most recent heartbeat per VM on the last 8 hours. Doesn't mean that it has been reporting heartbeats for 8hours straight.
I'm trying to know if the VM was running 8h straight. It's not expected to be up an running so long. We need to be alerted in the case of the VM is still running after 8h.