Computer – Heartbeat Missing – Azure Alert March 25, 2025 by admin
This script is designed to track the heartbeat status of monitored resources in Azure using Kusto Query Language (KQL)
Heartbeat
| where TimeGenerated >= ago(5d)
| summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId
| extend Duration = datetime_diff('minute', now(), TimeGenerated)
| summarize AggregatedValue = min(Duration) by Computer, bin(TimeGenerated, 5m), _ResourceIdScript Functionality
- Filtering Data (Past 5 Days)
- Retrieves heartbeat logs from the past 5 days using
TimeGenerated >= ago(5d).
- Retrieves heartbeat logs from the past 5 days using
- Finding the Latest Heartbeat per Machine
- Uses
summarize TimeGenerated = max(TimeGenerated) by Computer, _ResourceIdto get the most recent heartbeat timestamp for each machine.
- Uses
- Calculating Downtime Duration
- Computes the time difference (in minutes) between the current timestamp and the latest recorded heartbeat using
extend Duration = datetime_diff('minute', now(), TimeGenerated).
- Computes the time difference (in minutes) between the current timestamp and the latest recorded heartbeat using
- Aggregating Data for Alerting
- Groups the results into 5-minute intervals (
bin(TimeGenerated, 5m)) and determines the minimum duration (AggregatedValue = min(Duration)) per machine (Computer) and resource (_ResourceId).
- Groups the results into 5-minute intervals (
How This Relates to the Alert Configuration
- The alert monitors the AggregatedValue, which represents the minimum duration since the last heartbeat.
- If this value exceeds 10 minutes for any machine, an alert is triggered.
- The alert evaluates data every 5 minutes.
- It is configured to track selected computers and dynamically includes future values.
This setup helps detect if any monitored resource has stopped sending heartbeat signals within a 10-minute threshold, potentially indicating downtime or connectivity issues.