Kusto query to find vms that had issues installing updates

Question

Kusto query to find vms that had issues installing updates

bombbe 1,466

Hi,
I'm using Azure Update Management to patch Windows servers and because there is no build in query or some kind of dashboard to terminate that I need to make it by my self.

The table are UpdateRunProgress updaterunprogress

My goal query should work somehow like this that if InstallationStatus has gone from NotStarted to something else than Succeeded it should be displayed in results. I have now tried almost everything and used Join operator but have not managed to get this work.

2 answers

Your answer

Answer 1

Andrew Blumhardt 10,071 Microsoft Employee

I don't have this active in a lab for testing.

Would it not be sufficient just to query for status other than NotStarted o Completed?

I would do something like (Just an untested sample) if you need to correlate:

let NotStarted = UpdateRunProgress
| where InstallationStatus == "NotStarted"
| summarize arg_max(TimeGenerated, *) by Computer ;
let Status = UpdateRunProgress
| where InstallationStatus != "NotStarted"
| summarize arg_max(TimeGenerated, *) by Computer ;
NotStarted
| join (Status ) on Computer
| where InstallationStatus_1 != "Successded"

bombbe 1,466 Reputation points

2022-11-03T13:37:38.023+00:00
Hi, thank you for the template. I had to make few changes to it even display something

let NotStarted = UpdateRunProgress | where InstallationStatus == "NotStarted" | summarize arg_max(TimeGenerated, *) by Computer, UpdateId; let Status = UpdateRunProgress | where InstallationStatus != "NotStarted" | summarize arg_max(TimeGenerated, *) by Computer, UpdateId; NotStarted | join (Status) on Computer | where Computer contains "2060" | where InstallationStatus == "NotStarted" and InstallationStatus1 !="Succeeded" | where InstallationStatus1 != "NotIncluded"

Issue is that that I'm thinking how to catch those update jobs that did not even run (those in 10/20/2022)? I had few of them is mouth because of issues in Azure so they went never forward. Kinda stuck only to status NotStarted

Here is example from the logs (basically same as the picture above) were not a single update were installed or even tried because of issues in Azure. Logs are sorted by time so you can see that 10/20/2022 updates went not to Succeeded or Fail state.

And this is picture from logs that shows how things went when all worked fine so logs have both NotStarted and Succeeded as InstallationStatus when on above there were only NotStarted as statue.
Andrew Blumhardt 10,071 Reputation points Microsoft Employee

2022-11-03T23:12:45.29+00:00

Where is the screenshot? It seems like the status info should be in some table if this is in the Azure portal.
bombbe 1,466 Reputation points

2022-11-04T09:55:37.867+00:00

idk what happened to screenshot but edited my comment where you should now be able to see picture from logs
AnuragSingh-MSFT 21,566 Reputation points Moderator

2022-11-11T04:38:18.463+00:00

@bombbe , following up to check if you were able to resolve this issue. You might also check AzureDiagnostics table in the LogAnalytics workspace which stores resource logs for Azure services to see if the update job related information is available.

In case this does not help, I would request you to please reach out to Azure Support so that it can be investigated and assisted 1:1. Please let me know if you face any issues opening the support ticket.

Answer 2

Wilko van de Velde 2,241

UpdateRunProgress  
| extend NextRecord = next(InstallationStatus)  
| where InstallationStatus == "NotStarted" and NextRecord  != "Succeeded "

Share via

Kusto query to find vms that had issues installing updates

2 answers

Your answer