devices
| include execution.crashes past 1d
| compute nb_crashes = number_of_crashes.sum()
| list nb_crashes , hardware.manufacturer
Custom trend data retrieval
You can use the above trend definition, to create the following dashboard:
Compute the number of devices with crashes and the total number of devices.
custom_trend.#execution_crashes.snapshots during past 90d
| summarize devices_with_crashes = device.countif(nb_crashes > 0), device_count = device.count()
Observe daily changes of the total number of crashes over the last 90 days.
custom_trend.#execution_crashes.snapshots during past 90d
| summarize number_of_crashes_ = nb_crashes.sum() by 1d
Observe the total number of crashes per device platform. Include only devices with at least one crash.
custom_trend.#execution_crashes.snapshots during past 90d
| where nb_crashes > 0
| summarize number_of_crashes_ = nb_crashes.sum() by context.device_platform
| sort number_of_crashes_ desc
Observe the total number of crashes, and the number of devices with crashes per device hardware manufacturer.
custom_trend.#execution_crashes.snapshots during past 90d
| where hardware_manufacturer != "VMWare"
| where hardware_manufacturer != null
| summarize number_of_crashes_ = nb_crashes.sum(), number_of_devices_ = device.count() by hardware_manufacturer
| sort number_of_crashes_ desc
Monitoring Windows 11 migration
Track the ratio of devices with Windows 11 over time.
Custom trend definition
devices
| where operating_system.platform == windows
| list operating_system.name, hardware.type
Custom trend data retrieval
custom_trend.#windows_migration.snapshots during past 300d
| where hardware_type !in [virtual, null]
| summarize ratio_with_windows_11 = countif(operating_system_name == "*windows 11*")/count() by 1d
Monitoring boot duration
Track the average boot durations for each device, to monitor the effect of implementing leaner configurations.
Custom trend definition
devices during past 1d
| include device_performance.boots during past 1d
| compute boot_duration = duration.avg()
| list boot_duration, hardware.type
Custom trend data retrieval
custom_trend.#boot_duration.snapshots during past 90d
| where (context.device_platform == "Windows" and hardware_type == laptop)
| summarize boot_duration_avg = boot_duration.avg() by 1d
Monitoring devices with application crashes on startup (trends with Boolean values)
Track the daily number of devices that had at least one application crash on the application startup.
Note that Custom trends do not support metrics with the Boolean data types.
Custom trend definition
The following custom trend definition saves '1' for the true values and '0' for the false values.
devices during past 1d
| include execution.crashes during past 1d
| where crash_on_start == true
| compute crash_on_start_count = device.count()
| list crash_on_start_count
The following custom trend definition saves the numbers of application crashes on application startup per device. By using count() instead of device.count() the system saves the numbers of application crashes, allowing for more detailed statistics upon data retrieval.
devices during past 1d
| include execution.crashes during past 1d
| where crash_on_start == true
| compute crash_on_start_count = count()
| list crash_on_start_count
Custom trend data retrieval
custom_trend.#crashes_on_start.snapshots during past 300d
| where crash_on_start_count > 0
| summarize devices_with_app_crashes_at_start = count() by 1d
Monitoring the devices with Intune certification installed (trends with the Boolean values from the remote actions)
Track daily numbers of devices with the Intune certification installed based on data obtained using remote action which returns the Boolean values.
Note that Custom trends do not support metrics with the Boolean data types.
The following trend allows to monitor the returned value without directly storing the Boolean values. It is important to include the remote action status (last_status) in the custom trend NQL definition to distinguish successful remote action outputs equal '0' (or false) from the unsuccessful executions with no data obtained.
Custom trend definition
devices
| include remote_action.get_intune_device_status.executions during past 1d
| where outputs.onboarding_certificate_installed == True
| compute one_if_RA_successful_and_certificate_installed_zero_otherwise = device.count(), last_status = status.last()
| list one_if_RA_successful_and_certificate_installed_zero_otherwise, last_status
Custom trend data retrieval
custom_trend.#custom_trend_with__ra_bool.snapshots during past 300d
| summarize n_devices_with_certificate = countif(last_status = success and one_if_RA_successful_and_certificate_installed_zero_otherwise = 1),
n_devices_without_certificate = countif(last_status = success and one_if_RA_successful_and_certificate_installed_zero_otherwise = 0),
n_devices_without_informatiion = countif(last_status != success) by 1d
Monitoring CPU usage of different binary versions
Track the average CPU usage of application broken down by its versions.
Custom trend definition
devices
| include execution.events during past 1d
| where binary.name == "zoom.exe"
| compute CPU_usage_ratio = ((cpu_time.sum()) * (100)) / ((execution_duration.sum()) * (number_of_logical_processors.max())), last_version = binary.version.last()
| list CPU_usage_ratio, last_version
Custom trend data retrieval
custom_trend.#zoom_cpu_usage_ratio.snapshots during past 300d
| summarize c1 = CPU_usage_ratio.avg() by 1d, last_version
