OMS Syntax post series: #3 Events & Alerts

Part 3, Events and Alert examples:

 

I wanted to look at a range of EventIDs (I cant remember why now) but this is how:

Type=Event EventID=* | measure count () by EventID | Where (EventID>6000 AND EventID<6500)

If you want to look for some specific EventIDs, I was also filtering on the last 24hrs (Note: for the 24hrs scope to work, you have to have the "data based on" drop down set to more than 24hrs.  This was to find good shutdowns (6006, vs bad shutdowns 6008).

TimeGenerated>NOW-24HOUR EventID IN {6006, 6008}  | measure count () by Computer

 

Looking for Alerts, that are error or critical in the last 24hrs

Type=Alert (AlertSeverity=error or AlertSeverity=critical) TimeGenerated>NOW-24HOUR

 

Its sometimes useful to see what alert types you have, so filter by AlertName:

Type=Alert | measure count () by AlertName 

 

This query filters Alerts based on solution sending them, typically a server

Type=Alert | measure count () by SourceDisplayName