Adding custom information to alert description (s) and notifications

  • Makale

<!--[if lt IE 9]>

<![endif]-->

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://contoso.se/blog/?p=265

  • Anonymous
    January 01, 2003
    Main Downloads page (catalog, documentation) http://technet.microsoft.com/en-us/opsmgr/bb498232.aspx

  • Anonymous
    January 01, 2003
    There are several examples in blogs on how to create a generic text log rule to monitor for a local text

  • Anonymous
    January 01, 2003
    Many times, we would like to collect information for reporting, or measure and alert on something.&#160;

  • Anonymous
    January 01, 2003
    Here are a couple a tidbits on command notification with Operations Manager 2007 I&#8217;ve seen people

  • Anonymous
    January 01, 2003
    When you create an Alert Description in OpsMgr 2007 for alerting rules and monitors.... you might have

  • Anonymous
    January 01, 2003
    Not that I am aware of - but I am working on just that issue.  We really need this - and if there is a way to xpath this - it would really help. I am trying to find out if this is possible from the product group right now - but I dont think it is.  Sure would be nice. I am develping a spreadsheet to cross reference the alert view in the console/alert view in DB/alert notification variables/SDK Get-Alert/R2 connector key pairs.

  • Anonymous
    January 01, 2003
    Tom - the reason this doesnt work - is because there IS NO "EventDescription" for a server monitor. Event Description is for Events, in the Event log.  The Service unit monitor is its own module, and it has no relation to the event log module.  You need to uses variabled applicable to the Service Unit Monitor.... which are posted above.

  • Anonymous
    January 01, 2003
    @Email Admin - This is doable - when you create the alert notification subscription - use the variables above and input them in the propert format that you want, into the email channel - and then use that custom channel for a subscription to that specific alert (computer unreachable)

  • Anonymous
    January 01, 2003
    Eric - these should be working fine when used in a notification, for an NT event log rule or monitor. SCOM 2007R2 or SCOM 2012?

  • Anonymous
    January 01, 2003
    You can add anything that is a property of your data source.... like event, perf, etc... that our data source mudule understands. The IP address is an ATTRIBUTE of the Windows Computer object... and is not tied to the alert, or the data source. So - I dont know a way to add the IP address of the object to all alerts.... and this wont always even make sense - for alerts that come from "SQL Database" for instance.   The only thing I can think of is writing a custom product connector - which would modify alerts via the SDK after they are created on a polling cycle.... this connector would examin the alert - query up the containment/hosting relationships to find the windows computer object - gather the IP attribute - and populate a custom field with the IP, on the alert.

    • Anonymous
      May 22, 2016
      Hi,Is there a way we can have affected server ip address as well along with hostname. We are getting server hostname but want to add the affected server IP address as well. Please suggest.
      • Anonymous
        May 23, 2016
        I already answered that - directly above your question.

  • Anonymous
    January 01, 2003
    The event Monitor variables don't work. I'm trying to put information in the subject of the notification subscription based on a monitor.  I'm using $Data/Context/UserName$ is logging in to $Data/Context/LoggingComputer$ as the subject.  When the email goes out, I get " is logging in to "

  • Anonymous
    January 01, 2003
    Aggregate rollup monitors roll up state only.  They have no idea or information about the values or details on the monitors below them.  They have a state-rollup algorithm (best of, worst of) and then they simply change state according to that policy. In this way - by design if you alert from an aggregate monitor - you cannot get deep level details about the root cause monitor - it could be one - or many that are problematic at any given time. For the details - you must alert on the unit monitor.

  • Anonymous
    January 01, 2003
    How to get the source server name in alert description for the alerts that we are receiving for services going down. The string i am using here is as $Data/Context/Property[@Name='Name']$ has stopped running. This gives me only the service name. How to get the affected server anme in this. any help will appreciated.

  • Anonymous
    January 01, 2003
    For these - please see http://blogs.technet.com/momteam/archive/2008/09/04/actionable-alerts-for-web-applications-in-operations-manager-2007.aspx

  • Anonymous
    January 01, 2003
    Q:  In email notification, is there any way to display the severity by 'name' instead of 'id' so I don't get an integer? A:  Not that I know of.

  • Anonymous
    April 15, 2008
    Do you think,I can used a another performance threshold monitor in alerte description ?

  • Anonymous
    May 02, 2008
    For Correlated event Monitor; Below is the variable for event Description $Data/Context/DataItem/Item0Context/DataItem/EventDescription$ $Data/Context/DataItem/Item1Context/DataItem/EventDescription$

  • Anonymous
    September 15, 2008
    What do you do when you have monitors created from Web application template, like in case an Base page status code monitor should be able to send out mail indicating from which web site that Alert is raised and also the exact base page status code which generated the error

  • Anonymous
    October 17, 2008
    Is there a way to add company knowledge to notifications.

  • Anonymous
    October 28, 2008
    great resource. you saved my day.

  • Anonymous
    March 23, 2009
    Kevin nice one, but when i try the alerting in a monitor which monitors a basic service. and for example i use $Data/Context/EventDescription$ my alert will result in {0}.. shouldn't that be anything more helpfull? and can you use multiple lines? because when i try it, the alert just won't come..?

  • Anonymous
    March 23, 2009
    Kevin, i've already tried about anything shown above now i've tried this one : $Data/Context/Property[@Name='Name']$ it still gives me {0}

  • Anonymous
    March 24, 2009
    it's fixed.. when i changed something in the alert description, i immediatly looked in the alert what was showing op in the active alerts. it always said {0}. i never waited for a new alert to popup. apparantly when a new one shows, the event description is populated perfectly. thx for you assistance!

  • Anonymous
    May 18, 2009
    can I get the ip address of the host?

  • Anonymous
    July 13, 2009
    If I have a configuration parameter in the monitor like a threshold number, how do i access this value in the alert? For e.g. I have a monitor that generates an alerts if 5 samples have value of call duration of more than 100ms. Both the number of samples and duration threshold need to be displayed in the alert. These are not properties of any of the classes.

  • Anonymous
    August 14, 2009
    Hi Kevin. using get-alert cmdlet we have field named "NetbiosComputerName". Is there any Xpath equivalent for this field?

  • Anonymous
    November 03, 2009
    Are there any Alert Description variables available for Aggregate rollup monitors?  At best, I would like to be able to have the Aggregate monitor alert description show the actual value that triggerd the unhealthy state of the child monitors (in this case, CPU% utilization) like $Data/Context/Property[@Name='PctUsage'], but that does not work.  If that is not available to the parent monitor, then it would be nice to be able to include a Alert Description variable for the Alert Severity of the child monitor that went unhealthy (Warning or Critical).

  • Anonymous
    December 09, 2009
    even when i have created a unit monitor for % CPU utilization. When i use the same string in Alert description i don't get the value for CPU utilization.

  • Anonymous
    January 11, 2010
    The comment has been removed

  • Anonymous
    January 26, 2010
    Any update on a simple way to capture the hostname for ANY alert type?  This inability effectively shuts down our process of send SCOM alerts to Tivoli TEC.  (Not using the TEC connector)  We need to have the severity,hostname, description, alert name of every eventalert that comes in.  Sometimes the parameters we use grab the hostname, others it does not.   Is Microsoft attempting to fix this?

  • Anonymous
    February 19, 2010
    Is there an xpath expression for a monitor's threshold value?  I wish to include this in my alerts so our alert recipients can see both the value that exceeded the threshold, and the threshold itself.  Thanks.

  • Anonymous
    March 01, 2010
    In email notification, is there any way to display the severity by 'name' instead of 'id' so I don't get an integer? For example, I want the notification to read Severity: Warning instead of Severity: 1 which is what happens when $Data/Context/DataItem/Severity$ variable is used.

  • Anonymous
    March 09, 2010
    The comment has been removed

  • Anonymous
    July 07, 2011
    Kevin, How do you embed diagnostic output in the alert notification?  For example, I have a script-based diagnostic attached to a percent processor utilization performance monitor.  The script lists the top running processes at the time, along with their individual processor utilization percentages.  It returns this information to the alert as a property bag property called 'Result'.  The diagnostic result appears in Health Explorer all right, but I also want to include it in the alert notification.  I would like to use something like this: $Data/Diagnostic/DataItem/Property[@Name='Result']$ (from: technet.microsoft.com/.../ff714576.aspx ), but it does not work.  I have also tried this without success: $Data/Context/Property[@Name='Result']$ BTW, ditto to David Strebel's question above. Thanks!

  • Anonymous
    September 28, 2011
    hi thanks nice artical.. but i have one query / help. i want to customized My own words like.. Server Name , Server Role, Up - Down - Down time - so can you suggest any way to how we can costomized alert....!

  • Anonymous
    December 13, 2011
    Hi Kevin, I have a rule configured to capture the event log information from id's 644 & 4740, account lockouts.  I have a view setup to filter these account lockouts to just show service accounts in this format using text from the description:  'COMPANYs-%'. This filter works great. However I cannot get the same filter to work when sending out the notification in email. It seems to be all account lockouts or nothing. Any ideas how I can make this work? Thanks!

  • Anonymous
    February 11, 2012
    What's the value for setting SQL Instance name under SCOM Alert Message..?

  • Anonymous
    September 16, 2012
    Hello Kevin, Recently, I was asked to create a unit monitor to be alerted for any file changes in the environment. So, I created an event based timer reset monitor, which targets the security log and a particular ID and a parameter. The alerting works fine in SCOM whenever the ID and parameter are triggered together in the event viewer. The problem is with the description that is shown in SCOM. The event shows proper format of descrption as shown below: A handle to an object was requested. Subject:  Security ID:  DOMuser  Account Name:  user  Account Domain:  DOM  Logon ID:  0x1c77b615e Object:  Object Server:  Security  Object Type:  File  Object Name:  DeviceHarddiskVolume7testtestusertestuserHReportstesttest2012user2012Security2012.xlsx  Handle ID:  0x0 Process Information:  Process ID:  0x4  Process Name:   Access Request Information:  Transaction ID:  {00000000-0000-0000-0000-000000000000}  Accesses:  DELETE     READ_CONTROL     ACCESS_SYS_SEC     ReadData (or ListDirectory)     ReadEA     ReadAttributes  Access Reasons:  DELETE: Unknown or unchecked     READ_CONTROL: Granted by Ownership     ACCESS_SYS_SEC: Not granted due to missing SeSecurityPrivilege     ReadData (or ListDirectory): Unknown or unchecked     ReadEA: Unknown or unchecked     ReadAttributes: Granted by ACE on parent folder D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)  Access Mask:  0x1030089  Privileges Used for Access Check: -  Restricted SID Count: 0 However, in the event viewer friendly view (both general and XML) the data is displayed as shown below: EventData  SubjectUserSid S-1-5-21-3362488545-1801783553-3570299896-4101  SubjectUserName user   SubjectDomainName DOM  SubjectLogonId 0x1c77b615e  ObjectServer Security  ObjectType File  ObjectName  DeviceHarddiskVolume7testtestusertestuserHReportstesttest2012user2012Security2012.xlsx   HandleId 0x0  TransactionId {00000000-0000-0000-0000-000000000000}  AccessList %%1537 %%1538 %%1542 %%4416 %%4419 %%4423    AccessReason %%1537: %%1809 %%1538: %%1804 %%1542: %%1810 SeSecurityPrivilege %%4416: %%1809 %%4419: %%1809 %%4423: %%1811 D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)   AccessMask 0x1030089  PrivilegeList -  RestrictedSidCount 0  ProcessId 0x4  ProcessName The same XML data (from friendly view) is displayed in SCOM. Is there a way I can get SCOM to read the data from the general view of the eventviewer instead of it reading from the friendly View. Any Help will be appreciated. Thanks in Advance! Regards, Abdul Karim

  • Anonymous
    October 16, 2012
    The event rule variables don't seem to work. I have tried  $Data/EventDescription$ as well as  $Data/Context/EventDescription$ I tried them both in the rule itself and in a SMTP channel for a subscription that fires an email for that rule and always get blank results? Can you confirm where we use these variables, in the rule or alert channel and what they should be for an NT Event Log rule?

  • Anonymous
    October 18, 2012
    We have the software remedy and if we try to add [$$BLABLA$$] for example. But the $ always gets interpreted as a variable and we need 2 $ because of the remedy. Here an example: Service Type !1000000099!: [$$Infrastructure Event$$] But it's always: Service Type !1000000099!: [$Infrastructure Event$] In some cases it gets interpreted correctly with 4$ but in some cases not. So do you have a solution for my problem what works for my whole problem? Regards, Jules

  • Anonymous
    January 30, 2013
    I'm trying to update Custom Fields with IP address from text file, is there any suggestions on why I can update the fields with text but not IP?

  • Anonymous
    April 10, 2013
    The comment has been removed

  • Anonymous
    October 02, 2013
    Can some one tell me how to add Ip address in case of Linux unix alerts

  • Anonymous
    March 20, 2014
    Thanks for posting this. I put this information on the authoring guide: http://social.technet.microsoft.com/wiki/contents/articles/15300.operations-manager-management-pack-authoring-variables.aspx

  • Anonymous
    May 09, 2014
    Hello! I recently had the opportunity of working with a customer who had a pretty simple ask about log

  • Anonymous
    June 23, 2014
    Hello. Can anyone help me? I install SCOM 2012 R2. Create some rules and monitors. Also, create subscribers, channels and subscriptions. In one of channel, I add in E-mail message time (Time: $Data/Context/DataItem/LastModifiedLocal$). When Alert is on, I see in Monitoring Veiw this alert, and it has in its properties a field"Created: Пт 20.06.2014 17:08:12", but i get in the e-mail "Time: 6/20/2014 5:08:12 PM" !
    Where i must change time format? In system (windows Server 2012 R2) i have Date and time shot format: ddd dd.MM.yyyy and short time: H:mm.
    Thanks :)

  • Anonymous
    June 24, 2014
    ok, how to change date-time format in channel variable $Data/Context/DataItem/LastModifiedLocal$.

  • Anonymous
    September 30, 2014
    The comment has been removed

  • Anonymous
    March 24, 2016
    Is there any way to round off the performance counter values in the alerts and notifications? the current CPU % Utilization values shows as 25.102991104125977 %. Can it be rounded-off to an integer to to 2 decimal places like 25 or 25.10

  • Anonymous
    September 04, 2016
    I am using SCOM for Network Device monitoring. I am facing one issue. when i remove up link of my switch it shows me the following alert. Alert: Network Device is Not RespondingSource: 192.168.100.150Path: Not PresentLast modified by: SystemLast modified time: 8/30/2016 11:57:29 PMAlert description: Device 192.168.100.150 (192.168.100.150) is not responding to either ICMP or SNMP requests. Use health explorer to further troubleshoot this issue.with source IP which is good enough but when i remove any other ports of the same switch it just show me the port information. if i have number of switches in my network then how can i identify that which port goes down of which switch. following is the alert when i remove the cable of any port. Alert: Interface StatusSource: PORT-1.3Path: 30-37-A6-E5-68-C1Last modified by: SystemLast modified time: 8/30/2016 11:43:59 PMAlert description: Interface PORT-1.3 is in an unhealthy state. Use health explorer to further troubleshoot this issue.also it is showing me the MAC of my vlan in Path option "Path: 30-37-A6-E5-68-C1" it would be great if we can add IP information of that switch instead of MAC.

    • Anonymous
      September 06, 2016
      I find the script that we need to configure in order to get the IP detail along with the Port number.Alert: $Data[Default='Not Present']/Context/DataItem/AlertName$Interface : $Data[Default='Not Present']/Context/DataItem/ManagedEntityDisplayName$Source Device: $Data[Default='Not Present']/Context/DataItem/ManagedEntityFullName$set the SMTP channel as mentioned above and you will get the following results.Alert: Interface StatusInterface : PORT-1.3Source Device: System.NetworkManagement.NetworkAdapter:30-37-A6-E5-68-C1;PORT-192.168.100.150/1.3Path: 30-37-A6-E5-68-C1

  • Anonymous
    October 05, 2016
    I can't seem to find the property for isMonitor to include in emails, so that some technicians who resolve the core issue in the notification will know that the alert doesn't have to be closed in the console. Any thoughts?

  • Anonymous
    December 07, 2016
    I'm using performance monitor to write an event and then use that to trigger a task that needs to pass the data from the "countername" variable to the task. I successfully tested this passing the eventid as an argument, but I can't get it to pass the counter. This is the code I'm using to extract the EventID from event viewer. Event/EventData/Data[@Name='EventID']. But when I change EventID to countername, it just passes a null value. Anyone know how to extract this variable from event viewer?

  • Anonymous
    May 22, 2017
    Great reference. Thanks. I need to send alerts while keeping the names/ip's of the systems involved as vague as possible, yet still be evident where they're coming from. Primarily for the person on-call to receive on their personal device. Example:, Server01, 1.2.3.4, located in Tampa. I know which fields to grab, but any ideas on how I shorten this to S01-4-T, or something like that?Thank you.

    • Anonymous
      May 22, 2017
      The only way to massage the data like that would be to use something like SCORCH - to modify the alerts after they are generated, get the properties - change as desired, insert them back into custom fields by modifying the alert, then setting resolution state to something that triggers the notification. You can then use your new properties.

  • Anonymous
    June 12, 2017
    Is there any for SQL Transaction Logs Free or Used space?

  • Anonymous
    June 15, 2017
    Hi Kevin, we have a requirement to add a delimiter in SCOM description using MS Orchestrator. Please guide us on how it can be achieved as we are new to both SCOM and MSO.Thank you, Satya

  • Anonymous
    July 06, 2017
    Hi Kevin, I have created a log file Monitor for monitoring a String in a directory which contains some .txt files. I have created a group on which the servers are added for which the log file monitor will be enabled. Now I am getting the alerts from SCOM, but the description is Empty: I get a mail with description: "Robo Copy File Missing Alert on Log Directory for the log file with error as"Whereas My Alert Description in the Monitor Settings is: Robo Copy File Missing Alert on Log Directory $Data/Context/LogFileDirectory$ for the log file$Data/Context/LogFileName$ with error as $Data/Context/Params/Param[1]$For the above Alert Description, I have referred to your Rule in the "Logfile Monitors (Alert Description)" Section. But still I do not find a Name of the Log File, Directory and the String I am monitoring. I tried a couple of changes but still no luck. Can you assist what am I missing here in the alert description rule ? so that I get the proper text in my alert description.RegardsKaustubh

  • Anonymous
    January 26, 2018
    The comment has been removed

  • Anonymous
    February 24, 2018
    The comment has been removed

  • Anonymous
    June 05, 2018
    Hello all,Please there is any example how to send notification mail when server is down or offline and also send other mail when is UP or onlinethank you

  • Anonymous
    December 03, 2018
    Hey guys- apologies if this is the wrong place to post this but I'm trying to figure out how scom derives the information it uses to display the info in the notification body? I've setup monitoring of our Sonus telephony hardware, and there's nothing in the alert description, i.e. 'Last modified time: 11/29/2018 6:09:28 AM Alert description:' which is using the string: 'Alert description: $Data/Context/DataItem/AlertDescription'$ Any ideas on how I'd rectify this? Thanks in advance, Marcus. (PS- OM version 1807)