Microsoft Operations Management Suite (Oms) - Log Search Cheat Sheet (Page 2 of 2) in pdf

MICROSOFT OPERATIONS MANAGEMENT SUITE (OMS) – LOG SEARCH CHEAT SHEET

Examples:

If you don’t receive any data it could be, that you haven’t installed the necessary solution. These queries should illustrate how to write simple and more complex queries.

Retrieves all Events

Retrieve all Type, grouped by Type

Type=Event

* | MEASURE COUNT() by Type

Retrieve Events 100 up to 3000 from Application Log

Count of Events grouped by Event ID

Type=Event EventLog=Application EventID:[100..3000]

Type=Event | MEASURE COUNT() by EventID

List all available Type

When did my servers initiate restart?

* | MEASURE COUNT() by Type

shutdown Type=Event EventLog=System Source=User32 EventID=1074 | SELECT TimeGenerated,Computer

Which management group sends most data

* | MEASURE count() by ManagementGroupName

Searches all Events for shutdown warning event

shutdown Type=Event EventLog=System Source=User32 EventLevelName=warning

On which machines and how many times have Windows Firewall Policy settings changed

Type=Event EventLog="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" EventID=2008 | MEASURE COUNT() by Computer

Computer with Available Memory more than 2GB and display it as line chart

Type=Perf ObjectName=Memory CounterName="Available MBytes" | MEASURE AVG(CounterValue) by Computer | WHERE AggregatedValue>2000 | DISPLAY lineChart

Stale Computers (data older than 24 hours)

NOT(ObjectName="Advisor Metrics" OR ObjectName=ManagedSpace) | MEASURE MAX(TimeGenerated) as LastData by Computer | TOP 500000 | WHERE LastData < NOW-24HOURS

Active Recommendations for databases

Type=SQLAssessmentRecommendation RecommendationResult=Failed | MEASURE COUNT() by DatabaseName

List all Computers whose last reported data is older than 4 hours

ObjectName!="Advisor Metrics" ObjectName!=ManagedSpace ObjectName!="Advisor Metrics" ObjectName!=ManagedSpace | MEASURE MAX(TimeGenerated) as LastData by Computer | WHERE LastData<NOW-4HOURS | SORT Computer

Computers with detected threats

Type=ProtectionStatus ThreatStatusRank > 199 ThreatStatusRank != 470 | MEASURE MAX(ThreatStatusRank) as Rank by Computer | Top 50000

Average CPU utilization by Top 5 machines

Type=Perf CounterName="% Processor Time" InstanceName="_Total" | MEASURE AVG(SampleValue) as AVGCPU by Computer | SORT AVGCPU DESC | TOP 5

Returns % CPU Usage and % Free Disk Space in the past 4 hours

Type=Perf InstanceName:_Total ((ObjectName:Processor AND CounterName:"% Processor Time") OR (ObjectName="LogicalDisk" AND CounterName="% Free Space")) AND TimeGenerated>NOW-4HOURS

List all Events that have “Ops” in their SourceSystem field

Type=Event SourceSystem=RegEx("Ops@")

List all Events that have “Bytes Sent/sec” in CounterPath

Type=Perf CounterPath=Regex("@Bytes Sent/sec@")

List all network adapters which do not contain Realtek RTL8139C

Type=Perf InstanceName=Regex("[^Realtek RTL8139C]@")

List all Heartbeat events from OS version 5, 6 and 7

Type=Heartbeat OSMajorVersion=RegEx("[5-7]")

Tips & Tricks:

Sources:

▪ NOW/DAY rounds the current Date/Time to the midnight of the current day.

▪