Alert if vms stop sending heartbeats but not if it shut down

Bombbe 1,626 Reputation points
2022-03-31T08:07:25.177+00:00

Hi,
I'm running following query to generate alerts if log analytics agents stops sending heartbeats and it works fine. Only problem that I'm facing that if someone shutdowns the vm ( it will generate alert because heartbeats has stopped.

Heartbeat
| summarize LastCall = max(TimeGenerated) by Computer, _ResourceId
| extend HeartBeatMissing = iff(LastCall < ago(1h), 1, 0)

Then I started to create query that would not generate alert if vm has been stopped but are facing a bit issues.

    Heartbeat
    | summarize LastCall = max(TimeGenerated) by Computer, _ResourceId
    | extend HeartBeatMissing = iff(LastCall < ago(1h), 1, 0)
    | join kind=leftanti (
        AzureActivity
        | where ActivityStatus == "Succeeded"
        | where Category == "Administrative"
        | where OperationName == "Deallocate Virtual Machine"
        | summarize by Resource _ResourceId
) on 

I'm not sure if this is the right or proper way to archive this and thus I'm banging my head to wall how and what should I next (not that great with join operator).

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,254 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bombbe 1,626 Reputation points
    2022-04-05T07:16:02.78+00:00

    I got it working by myself and here are the query if somebody else is fighting with same issues. For some reason I can not mark my own comment as answer.

    Heartbeat
    | summarize LastCall = max(TimeGenerated) by Computer, _ResourceId
    | extend HeartBeatMissing = iff(LastCall < ago(2h), 1, 0)
         | join kind=leftanti (
             AzureActivity
             | where ActivityStatus == "Succeeded"
             | where Category == "Administrative"
             | where OperationName == "Deallocate Virtual Machine"
             | summarize by _ResourceId
     ) on _ResourceId
    
    0 comments No comments

  2. tbgangav-MSFT 10,416 Reputation points
    2022-04-05T09:43:10.063+00:00

    Hi @Bombbe ,

    Glad to know that you have self-resolved the question and thanks for sharing it. Yes, it would be of great help for other community users who might be looking for similar information. :)

    As explained here, currently a user cannot accept their own answers. In past (around 2+ months ago), users were able to accept their own answers but that feature is revoked now.

    190068-image.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.