다음을 통해 공유

하트비트 테이블에 대한 쿼리

  • 아티클

Azure Portal에서 이러한 쿼리를 사용하는 방법에 대한 자세한 내용은 Log Analytics 자습서를 참조하세요. REST API는 쿼리를 참조 하세요.

하트비트 수 계산

지난 1시간 동안의 모든 컴퓨터 하트비트를 계산합니다.

// Count computers heartbeats in the last hour. 
// Normally, agents on VMs generate Heartbeat event every minute.
Heartbeat
| where TimeGenerated > ago(1h)
| summarize count() by Computer

각 컴퓨터의 마지막 하트비트

각 컴퓨터에서 보낸 마지막 하트비트를 표시합니다.

// Last heartbeat of each computer 
// Show the last heartbeat sent by each computer. 
Heartbeat
| summarize arg_max(TimeGenerated, *) by Computer

수집 대기 시간(엔드 투 엔드) 급증 - 하트비트 테이블

지난 24시간 동안의 하트비트 수집에서 대기 시간 급증을 확인합니다.

// Ingestion latency (end-to-end) spikes - Heartbeat table 
// Check for latency spikes in the ingestion of Heartbeats in the last 24 hour. 
// This query calculates ingestion duration every 10 minutes, and looks for spikes
let StartTime = ago(24h);
let EndTime = now();
let MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive
Heartbeat
| where TimeGenerated between (StartTime .. EndTime)
// calculate ingestion duration in seconds
| extend IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s
// Create a time series
| make-series RatioSeries=avg(IngestionDurationSeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m)
// Apply a 2-line regression to the time series
| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)
// Find out if our 2-line is trending up or down
|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)
// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)
| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike")

에이전트 대기 시간 급증 - 하트비트 테이블

지난 24시간 동안 하트비트 수집에서 에이전트 대기 시간 급증을 확인합니다.

// Agent latency spikes - Heartbeat table 
// Check for agent latency spikes in the ingestion of Heartbeats in the last 24 hour. 
// This query calculates ingestion duration every 10 minutes, and looks for spikes
let StartTime = ago(24h);
let EndTime = now();
let MinRSquare = 0.9; // Tune the sensitivity of the detection sensor. Higher numbers make the detector more sensitive
Heartbeat
| where TimeGenerated between (StartTime .. EndTime)
// calculate ingestion duration in seconds
| extend AgentLatencySeconds = (_TimeReceived-TimeGenerated)/1s
// Create a time series
| make-series RatioSeries=avg(AgentLatencySeconds) default=0 on TimeGenerated in range(StartTime , EndTime,10m)
// Apply a 2-line regression to the time series
| extend (RSquare2, SplitIdx, Variance2, RVariance2, LineFit2) = series_fit_2lines(RatioSeries)
// Find out if our 2-line is trending up or down
|extend (Slope, Interception, RSquare, Variance, RVariance, LineFit) = series_fit_line(LineFit2)
// Check whether the line fit reaches the threshold, and if the spike represents an increase (rather than a decrease)
| project PatternMatch = iff(RSquare2 > MinRSquare and Slope>0, "Spike detected", "No spike")

최근에 중지된 하트비트 - 하트비트 테이블

지난 15분 동안 하트비트 전송을 중지한 리소스를 나열합니다.

// Resources, which stopped sending heartbeats in last 15 minutes
Heartbeat
| summarize LastReported=now()-max(TimeGenerated) by ResourceGroup, Resource, ResourceType 
// Assuming that heartbeats are sent at least every minute we are looking at 1-15 minute interval
| where LastReported between(1m..15m)

오늘의 컴퓨터 가용성

매시간 로그를 보내는 컴퓨터 수를 차트로 표시합니다.

Heartbeat
| summarize dcount(ComputerIP) by bin(TimeGenerated, 1h)
| render timechart

사용할 수 없는 컴퓨터

지난 5시간 동안 하트비트를 보내지 않은 알려진 모든 컴퓨터를 나열합니다.

Heartbeat
| summarize LastHeartbeat=max(TimeGenerated) by Computer
| where LastHeartbeat < ago(5h)

공급 요금

연결된 각 컴퓨터의 가용성 속도를 계산합니다.

Heartbeat
// bin_at is used to set the time grain to 1 hour, starting exactly 24 hours ago
| summarize heartbeatPerHour = count() by bin_at(TimeGenerated, 1h, ago(24h)), Computer
| extend availablePerHour = iff(heartbeatPerHour > 0, true, false)
| summarize totalAvailableHours = countif(availablePerHour == true) by Computer
| extend availabilityRate = totalAvailableHours*100.0/24

VM을 보고하지 않음

지난 5분 동안 하트비트를 보고하지 않은 VM

// To create an alert for this query, click '+ New alert rule'
Heartbeat 
| where TimeGenerated > ago(24h)
| summarize LastCall = max(TimeGenerated) by Computer, _ResourceId
| where LastCall < ago(5m)

컴퓨터 목록

Azure 업데이트 관리가 배포된 컴퓨터 목록입니다.

Heartbeat
| where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId
| where Solutions has "updates"
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""
| join kind=leftouter
(
   Update
    | where TimeGenerated>ago(5h) and OSType=="Linux" and SourceComputerId in ((Heartbeat
    | where TimeGenerated>ago(12h) and OSType=="Linux" and notempty(Computer)
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
    | where Solutions has "updates"
    | distinct SourceComputerId))
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Product, Computer, ComputerEnvironment) by SourceComputerId, Product, ProductArch
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed"), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed"), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed"), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)
)
on SourceComputerId
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=1, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2)
| union(Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions, Computer, ResourceId, ComputerEnvironment, VMUUID) by SourceComputerId
| where Solutions has "updates"
| extend vmuuId=VMUUID, azureResourceId=ResourceId, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), scopedToUpdatesSolution=true, lastUpdateAgentSeenTime=""
| join kind=leftouter
(
    Update
    | where TimeGenerated>ago(14h) and OSType!="Linux" and SourceComputerId in ((Heartbeat
    | where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
    | summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
    | where Solutions has "updates"
    | distinct SourceComputerId))
    | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, Optional, Approved, Computer, ComputerEnvironment) by Computer, SourceComputerId, UpdateID
    | summarize Computer=any(Computer), ComputerEnvironment=any(ComputerEnvironment), missingCriticalUpdatesCount=countif(Classification has "Critical" and UpdateState=~"Needed" and Approved!=false), missingSecurityUpdatesCount=countif(Classification has "Security" and UpdateState=~"Needed" and Approved!=false), missingOtherUpdatesCount=countif(Classification !has "Critical" and Classification !has "Security" and UpdateState=~"Needed" and Optional==false and Approved!=false), lastAssessedTime=max(TimeGenerated), lastUpdateAgentSeenTime="" by SourceComputerId
    | extend compliance=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0, 2, 1)
    | extend ComplianceOrder=iff(missingCriticalUpdatesCount > 0 or missingSecurityUpdatesCount > 0 or missingOtherUpdatesCount > 0, 1, 3)
)
on SourceComputerId
| project id=SourceComputerId, displayName=Computer, sourceComputerId=SourceComputerId, scopedToUpdatesSolution=true, missingCriticalUpdatesCount=coalesce(missingCriticalUpdatesCount, -1), missingSecurityUpdatesCount=coalesce(missingSecurityUpdatesCount, -1), missingOtherUpdatesCount=coalesce(missingOtherUpdatesCount, -1), compliance=coalesce(compliance, 4), lastAssessedTime, lastUpdateAgentSeenTime, osType=2, environment=iff(ComputerEnvironment=~"Azure", 1, 2), ComplianceOrder=coalesce(ComplianceOrder, 2))
| order by ComplianceOrder asc, missingCriticalUpdatesCount desc, missingSecurityUpdatesCount desc, missingOtherUpdatesCount desc, displayName asc
| project-away ComplianceOrder

하트비트에서 찾기

하트비트 테이블에서 특정 값을 검색하려면 하트비트에서 찾습니다./n노트에서 이 쿼리를 수행하려면 SeachValue> 매개 변수를 업데이트<하여 결과를 생성해야 합니다.

// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue =  "<SearchValue>";//Please update term you would like to find in the table.
Heartbeat
| where * contains tostring(SearchValue)
| take 1000