Speaking of my favorite suite, it’s still moving at cloud speed and more and more solutions are added in GA, public preview and private preview.
One of the latest and maybe less known addition is agent heartbeat. The agents by default send an heartbeat document to the workspace every 60 seconds.
You don’t have to do anything to activate heartbeat, ss easy as it comes you just have to query for: Type:Heartbeat to get all your reporting agents.
The heartbeat document brings a ton of useful information that can be used for:
- knowing which agents are reporting and which are not
- knowing the way the agent is communicating (through SCOM vs Direct, is it using a gateway?)
- checking at a glance the agent version
- checking the operating system type and version
My favorite query when speaking about heartbeat is the simplest one, just give me the latest heartbeat for each computer: Type:Heartbeat | dedup Computer
Obviously you can write all the alerting rules you need, for example for agents not heartbeating: Type:Heartbeat | measure max(TimeGenerated) by Computer | where AggregatedValue < NOW-30MINUTE
Just beware that the RemoteIPCountry field for VMs on Azure is not 100% reliable due to how Azure allocates public IPs.
Learn how to publish the heartbeat data to PowerBI in this Tso’s post