Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,308 questions
Complex query which track multipul process and VMs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Pinchasi, Shay
1
Reputation point
Hey All,
I would like to know if it is possible to make this query below more advanced which will bring results of multiple process and it will query multiple VMs on one query?(this query tirgger an alert when the process is down )
let process_tbl = datatable (computer: string, process: string, process_count: int)
[ "<Virtual machine name>", "bin/<process name>", 1, ];
//Extract distinct list of computers
let comps = process_tbl | summarize by computer;
//Extract distinct list of process names
let procs = process_tbl | summarize by process;
//Extract the detailed process info from VMProcess Table
//that matches the multiple processes and multiple machines as defined in the process_tbl
//VMProcess collects live process information every 1hr but also catches a newly started process within 5 mins
let vm_procs = VMProcess
| extend process_id = tostring(Process)
| where TimeGenerated > ago(60m)
| where Computer in (comps) and CommandLine has_any (procs)
| project process_id, Computer, CommandLine, FirstPid, TimeGenerated, ExecutablePath
| order by TimeGenerated desc, CommandLine
| summarize arg_max(TimeGenerated, *) by CommandLine;
//Get the Live process Heartbeat data from the InsightsMetrics which is refreshed every min.
let foo = InsightsMetrics
| where Name == "Heartbeat"
| where Namespace == "Computer"
| where Origin == "vm.azm.ms/map"
| where TimeGenerated > ago(3m)
| where Computer in (comps)
| extend processObj = parse_json(Tags)
| extend process_id = parse_json(tostring(processObj.["vm.azm.ms/processIds"]))
| mv-expand process_id
| distinct tostring(process_id), Computer, TimeGenerated;
//Putting it all together
//Check for processes that are common and unique in VM Process and Heartbeat table
vm_procs
| join kind=leftanti (foo) on process_id, Computer
| summarize by process_id, Computer, CommandLine, FirstPid, TimeGenerated, ExecutablePath
Thanks,
Shay
{count} votes
-
tbgangav-MSFT 10,416 Reputation points2021-03-18T16:08:45.143+00:00 Hi @Pinchasi, Shay ,
It might be possible if you go with dynamic rather than string in the inital process_tbl datatable and then by using mv-expand / mv-apply operator so that we could expand the array and then apply the dynamic-property accessors foreach record and continue from there the next part of the query to check for multiple processes and VMs.
-
Pinchasi, Shay 1 Reputation point
2021-03-21T08:04:34.89+00:00 Hi @tbgangav-MSFT
Thank you for the quick replay, Is it possible to take my example and to edit it by your suggestion?
BR,
Shay
Sign in to comment
Sign in to answer