This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 50%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Hi,
I know that in SCOM we have event correlation. As in we can correlate multiple "similar" events in to an existing alert if the conditions match.
I also know that we have Health roll-up where when say X number of child objects are unhealthy, the roll-up will be unhealthy. And therefore we could choose to have the alert at the roll-up level or the child level.
But is there any way at the moment (or any plans) to allow a combination of the roll-up, like SolarWinds does and also like ScienceLogic does. In other words, alert at child level (and therefore get more specific details in the alert) as long as the parent is deemed healthy, BUT...do NOT alert at child level when the parent is deemed unhealthy, and instead let the roll-up alert. At the moment (as far as I understand), we can only have one or the other, as we simply chose to enable or disable the monitor. We still need the child alert up to a point where we can say that there is something wrong at a higher level.
In SolarWinds, if for example a switch is down, you can tell it to put the child objects such as ports in an unmonitored state so that you don't get a port alert and the switch alert.
In ScienceLogic, you can configure masking/suppression that acts in a similar way by silencing child devices if the parent is unhealthy.
I know Kevin did something similar as part of a demo for consolidating heartbeat alerts when a Gateway Server goes down, but it almost feels like Microsoft are missing a trick at the moment.
Our main monitoring tool is SCOM but we also have ScienceLogic used (by our service provider) for cloud servers and we also have SolarWinds for Core network devices. I am concerned at the moment because SCOM is currently noisy with these duplicated scenarios, and we have reviews at the moment. I know all these tools have their advantages and disadvantages but I sense if we cannot do something to correlate the noise from SCOM, one of these other tools may be chosen instead.
I am happy to author something, but I don't want to end up almost re-inventing the way SCOM works just to make it happen.
Thanks
Andrew
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Hi,
As far as I know, SCOM built-in with Aggregate rollup monitor and a Dependency rollup monitor. For complex logical judgments can be achieved by writing scripts.
Thank you very much for your valuable comments, In particular, the experience gained after a horizontal comparison of similar products. We'll try to feedback this idea to the product team.
Hi Andrew,
I think I understand the logic here, but I am, not quite sure if this can be achieved the same way with SCOM (or at least not without some complex authoring). What I would do in your case is post this on the new System Center Operations Manager Feedback Site, maybe the SCOM Product Group will find this interesting and address it:
System Center Operations Manager Feedback Site
https://feedback.azure.com/d365community/forum/2a49c9ee-4436-ec11-b6e6-00224824730c
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov
I agree with Stoyan. Nothing out of the box and probably some PowerShell to evaluate health states and alert appropriately.
Do you have a link to Kevins presentation ? "I know Kevin did something similar as part of a demo for consolidating heartbeat alerts when a Gateway Server goes down"
It might be possible to review the code and reverse engineer something similar but it is almost certainly going to be on a roll up by roll up basis and so not easily extensible \ scalable as a "fix" for rollups in general.
Regards
Graham
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 61%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
Thanks All for your replies. Apologies for the delay (time flies!) in coming back on this. Yeah, I think for now we can at least target the main ones creating thousands of incidents per month, so things like the heartbeat alert and failed to connect. That would massively reduce the totals. The link for Kevin's post is https://scomathon.com/blog/automating-maintenance-mode-for-computers-behind-a-gateway-scom-management-pack-by-kevin-holman/ I have been toying with the idea of doing something in Orchestrator as well as we also use a custom solution from Kelverion for bringing in SolarWinds alerts. This would also allow us to see what network issues (core network devices are monitored with SW) are going on at a higher level. But I stalled on this as it was getting a bit complex to try to come up with something that would map an object in SCOM as being part of a switch, for example in SolarWinds and of course how it would be presented in our CMDB.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 15%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
"In other words, alert at child level (and therefore get more specific details in the alert) as long as the parent is deemed healthy, BUT...do NOT alert at child level when the parent is deemed unhealthy, and instead let the roll-up alert."
To distill your request, basically you don't want the child instances to generate alerts if the parent is in a critical state.
You can do some customization using the command channel and PowerShell but I would look better and what you want to achieve here.
What is the actual issue? To many alerts?
Where? On the SCOM Dashboard? Email/IM alert notifications? SQL database?
Even with your switch and ports example, Dashboards can be filtered and scoped. Same with IM alert notifications.
Hi Marius, thanks for the response.
The issue is spamming peoples incident queue with things like heartbeat alerts or failed to connect to computer alerts when they already know that the site is down but yet we keep sending through these alerts for every server. They do want the incidents under normal circumstances, just not when they are trying to resolve a P1 for a site being down and being flooded with these.
Hence the reason why I mentioned SolarWinds because that does work well where you can alert for each port but then when the rollup goes to the switch based on say x% of the ports down and the switch is unhealthy, then stop spamming peoples queues with useless ports are down when they know they whole switch is down.
This is why I thought about Orchestrator but it gets too complex to maintain a record of what is the linked issue and whether it is an issue at the moment and Orchestrator is already a bit flaky due to the restricted logic in the activities and workflows, so it would be hard to control and opens up the potential for missing real incidents.
My only realistic option currently is turning off the alert and monitoring the health states from the console but at a time where I am down to 1 support person for SCOM now, giving less people more work is something I am keen to avoid, because the strategy is to use Service Management Tool. And the bottom line is that this has been a pet hate of lots of people for many years now and if other products can do it seemingly well, why can't SCOM. That though is a separate question so will just have to see how that goes on the product page :-)
Edit: Just for information - I thought I had raised this on the feedback site but can't locate it therefore I have just raised it now: https://feedback.azure.com/d365community/idea/f47ee16c-0adb-ee11-a73d-000d3adc65a4
As a workaround for heartbeats or failed to connect to computer alerts you could implement a workaround, using the command channel with a delay, call a script that connects to SCOM, gets the HB and FTC alerts and if the parent (that is the MS or Resource pool) is not available automatically close the alerts.
But based on how you are approaching this I think that you are not interested in a workaround, but more of a feature. That will take a long time and might not even be implemented.
Depending on your escalation process, it could be changed lets say so that you have a dashboards only with 'notified' alerts which SD can react to instead of jumping on any new alert they see in the dashboard.
And also alert storms are usually rare. If you have them frequently something is not working well and needs to be addressed instead of adapting the monitoring tool to the issue.