This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PRO TIP: Alert on OneAgent running outdated version

mosharref_hossn
Participant

‎16 Jul 2025 09:10 PM - last edited on ‎31 Jul 2025 12:42 PM by Community Team

EDIT: 

Davis Anomaly Detected rule ended up generating too many alerts since it checks often. 

We moved this query to Workflow and run it once a day to send a notification via Send Email action. 

*****

Our team needed a way to alert when the OneAgent fails to upgrade to the latest available version and running an outdated version.

To address this, we created the following DQL query to be used with Davis Anomaly Detection.

Notifications can be configured using a Management Zone in combination with an Alert Profile.

Alternatively, tags can also be used to help route alerts to the appropriate team.

We also needed to exclude hosts that could not be upgraded due to unsupported OS version (lookup sub-query). 

You can exclude the subquery if that is not required. 

 

// Fetch hosts with installed agent versions and sort asc by Installer Version
// Sort order will help filter out any hosts that are not running the latest version in next sub-query
fetch dt.entity.host
| filter isNotNull(installerVersion) 
| fields id, entity.name, installerVersion, lifetime
// Coverting lifetime[end] value to "timestamp" enables the user to create a timeseries metric at the end to run in Davis Anomaly Detection
| fieldsAdd timestamp=toTimestamp(lifetime[end])
| fieldsRemove lifetime
// NOTE: sorted in ascending order to get oldest agent versions
| sort installerVersion asc
| limit 30
| summarize {installerVersion=max(installerVersion)}, by:{entity.name, id, timestamp}
 
// Fetch hosts with installed agent version, sort desc by Installer Version and return matching host IDs
| join [
fetch dt.entity.host
| filter isNotNull(installerVersion)
| fields  installerVersion, id
// NOTE: sorted in descending order to get latest agent versions
| sort installerVersion desc
| limit 30
], on:{id}, kind: leftOuter, fields:{latestAgentVersion=installerVersion}
// Filter out hosts matching the latest Agent version
| filter isNull(latestAgentVersion)
| fieldsRemove latestAgentVersion
 
// Fetch logs & lookup hosts with failed installation due to unsupported platform (dynamically)
// And exclude matched hosts.
| lookup [
    fetch logs, from:now()-48h
    | filter matchesValue(log.source, "Windows Application Log") and loglevel == "ERROR"
    | filter contains(content, "unsupported platform") and contains(content, "Dynatrace OneAgent")
    | dedup dt.entity.host
    | sort timestamp desc
| fields dt.entity.host
], sourceField: id, lookupField: dt.entity.host
 
// Exclude agents running in unsupported OS version
| filter isNull(lookup.dt.entity.host)
 
// Remove unnecessary fields
| fieldsRemove lookup.dt.entity.host

// Create timeseries metric
| maketimeseries Count=count(default:0), by:{dt.entity.host=entity.name, installerVersion}, interval:1m

 

Hope this helps the community. 

 

Labels:
Reply
1 REPLY 1

AntonPineiro
DynaMight Guru
DynaMight Guru

‎17 Jul 2025 09:11 AM

Thanks! :take_my_money:

❤️ Emacs ❤️ Vim ❤️ Bash ❤️ Perl
Reply
Ask a question

Featured Posts