Complex query which track multipul process and VMs

Pinchasi, Shay 1 Reputation point
2021-03-17T14:52:33.253+00:00

Hey All,

I would like to know if it is possible to make this query below more advanced which will bring results of multiple process and it will query multiple VMs on one query?(this query tirgger an alert when the process is down )

let process_tbl = datatable (computer: string, process: string, process_count: int) 
    [ "<Virtual machine name>", "bin/<process name>", 1, ]; 
      //Extract distinct list of computers 
    let comps = process_tbl | summarize by computer; 
      //Extract distinct list of process names 
    let procs = process_tbl | summarize by process; 
      //Extract the detailed process info from VMProcess Table 
      //that matches the multiple processes and multiple machines as defined in the process_tbl 
      //VMProcess collects live process information every 1hr but also catches a newly started process within 5 mins 
    let vm_procs = VMProcess 
    | extend process_id = tostring(Process) 
    | where TimeGenerated > ago(60m) 
    | where Computer in (comps) and CommandLine has_any (procs) 
    | project process_id, Computer, CommandLine, FirstPid, TimeGenerated, ExecutablePath 
    | order by TimeGenerated desc, CommandLine 
    | summarize arg_max(TimeGenerated, *) by CommandLine; 
      //Get the Live process Heartbeat data from the InsightsMetrics which is refreshed every min. 
    let foo = InsightsMetrics 
    | where Name == "Heartbeat" 
    | where Namespace == "Computer" 
    | where Origin == "vm.azm.ms/map" 
    | where TimeGenerated > ago(3m) 
    | where Computer in (comps) 
    | extend processObj = parse_json(Tags) 
    | extend process_id = parse_json(tostring(processObj.["vm.azm.ms/processIds"])) 
    | mv-expand process_id 
    | distinct tostring(process_id), Computer, TimeGenerated; 
      //Putting it all together 
      //Check for processes that are common and unique in VM Process and Heartbeat table 
    vm_procs 
    | join kind=leftanti (foo) on process_id, Computer 
    | summarize by process_id, Computer, CommandLine, FirstPid, TimeGenerated, ExecutablePath

Thanks,
Shay

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,024 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
677 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,566 questions
Azure AI Metrics Advisor
Azure AI Metrics Advisor
An Azure artificial intelligence analytics service that proactively monitors metrics and diagnoses issues.
80 questions
{count} votes