KQL Search

Query Details

HomeAI ToolsDevice Query

Last Check In Arc Machines

Query

# Last Heartbeat Arc Machines

## Query Information

#### Description
This query lists the latest heartbeat for each Azure Arc onboarded machine.

## Sentinel
```KQL
let ArcMachines = arg("").Resources
| where type == "microsoft.hybridcompute/machines"
| distinct id;
Heartbeat
| summarize arg_max(TimeGenerated, TimeGenerated, Computer, Resource, ResourceId) by Computer
| where ResourceId in (ArcMachines)
```

Explanation

This query is designed to identify the most recent heartbeat signal for each machine that has been onboarded to Azure Arc. Here's a simple breakdown of what it does:

  1. Identify Azure Arc Machines:

    • It first filters resources to find those that are Azure Arc machines. This is done by checking if the resource type is "microsoft.hybridcompute/machines".
    • It then creates a distinct list of these machine IDs.

  2. Find Latest Heartbeat:

    • The query looks at the Heartbeat data, which records regular signals sent by machines to indicate they are operational.
    • It summarizes the data to find the most recent (latest) heartbeat for each machine. This is achieved using the arg_max function, which selects the entry with the maximum (latest) TimeGenerated for each computer.

  3. Filter for Arc Machines:

    • Finally, it filters the heartbeat records to include only those that belong to the previously identified Azure Arc machines.

In summary, this query provides a list of the most recent heartbeat signals for machines that are managed through Azure Arc, helping to monitor their operational status.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 20, 2025

Tables

ResourcesHeartbeat

Keywords

AzureArcMachinesHeartbeatComputerResourceResourceId

Operators

letargResourceswheretypedistinctidHeartbeatsummarizearg_maxTimeGeneratedComputerResourceResourceIdbyin

Actions