![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 16%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,792 questions
Hi @Daniel Lucas ,
Yes you can do this, however it's hard to come up with an example query without knowing your naming convention. Here is an example I've made up based on some fake naming convention using the extract() function
let Threshold = 0.5;
let startTime = ago(10m);
let endTime = now();
// Count of Unique Computer Names
let ComputerCount = toscalar( Heartbeat
| where TimeGenerated between (startTime .. endTime)
| distinct Computer
| count);
// Expected Number of heartbeats in the time range
let heartbeatPerAgent = array_length(range(startTime, endTime, 1m)) -1;
// Number of Agents per computer. There can be more than one with the AMA and MMA
let agentsPerComputer = Heartbeat
| where TimeGenerated between (startTime .. endTime)
| distinct Computer, SourceComputerId
| summarize NumberOfAgents = count() by Computer;
// Gather Heartbeats
Heartbeat
| where TimeGenerated between (startTime .. endTime)
| summarize Count = count() by Computer
| join kind=innerunique (
// Join the number of agents to the summarized heartbeat data
agentsPerComputer
) on Computer
| extend CountofHeartbeats = Count / NumberOfAgents
| extend ExpectedHeartbeats = heartbeatPerAgent
| order by Computer
//Used to simulate Computer naming convention based on my heartbeat data
| extend RenamedComputer = case ( row_number() < (ComputerCount /2),
strcat("SiteA", strrep("0", (4-strlen(tostring(row_number())))), row_number()),
strcat("SiteB", strrep("0", (4-strlen(tostring(row_number())))), row_number())
)
| project-away Computer, Computer1, NumberOfAgents
// Using Extract to identify the Site Code
| extend Site = extract(@"(Site)(\w)(\d+)",2, RenamedComputer)
| summarize TotalHeartbeats = sum(CountofHeartbeats), ExpectedHeartbeats = sum(ExpectedHeartbeats) by Site
| where TotalHeartbeats < (ExpectedHeartbeats * Threshold)