none
Exlude reboot results from Configuration Change Searches RRS feed

  • Question

  • When running the following Search query:

    Type=ConfigurationChange ConfigChangeType:WindowsServices

    Showing the Configuration Changes for the Windows Services, I want to exclude Config Changes for the services happening after a reboot of the machine.

    How do I exclude Service Changes just after a reboot of the server?

    I have enabled the Log Management for System Events. So I can check for an eventid showing the reboot.

    /Stefan


    Regards, Stefan Stranger Microsoft Services

    Thursday, November 13, 2014 10:33 AM

All replies

  • At the time of this writing, I can't really think of a way you can 'exclude' those, as that would essentially imply some sort of joins between two streams of data and queries, which we don't currently support.

    Hint - idea for subqueries (stepping stone in that direction) is here http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6519209-allow-subqueries-in-the-search-language-in-not

    HOWEVER, you can SEE both sets of data together, and let the eye 'see' those things together, i.e. you can combine your query and OR it with another, getting basically something like a UNION of results of different types - so you should see those 'clusters' of events and changes together - other changes should be more isolated - or anyway they are sorted by time (I made it explicit in the example below, but it is added automatically behind the scenes if you don't sort by anything else...) so you can see the 'sequence' of events. Try adding some 'select' of specific fields to make it more readable (given the different fields/columns sets) in an excel export or table format:

    (Type=Event AND EventID=6008 AND Source=EventLog) OR (Type=ConfigurationChange AND ConfigChangeType:WindowsServices) | Sort TimeGenerated

    Friday, November 14, 2014 7:09 AM
  • you could also *visually* correlate in one of the following ways:

    1) running two browser sessions side by side and run the two queries side by side

    2) having the two queries in two 'timeline mode' tiles in dashboard, side by side, or one above the other (even on mobile)

    you would see clusters of changes in one graph at the same time as the reboot event 'peaks' in the other graph...

    You like screenshots, here's one for you:

    Overlapping Timelines

    Would be cool if you could issue MULITPLE queries and bind both to the same tile to do this type of 'overlapping' is something I had imagined - kind of like what is on the change tracking default overview tile, with two bar charts above each other... but general/configurable in dashboards. This is NOT something we have prioritized so far, just an idea you just triggered.

    Saturday, November 15, 2014 3:44 AM