Alert Description Variables:
The following section contains variables for the Alert Description only.
Event Rules (Alert Description):
EventDisplayNumber (ID): $Data/EventDisplayNumber$ EventDescription (Description): $Data/EventDescription$ Publisher Name (Source): $Data/PublisherName$ EventCategory: $Data/EventCategory$ LoggingComputer: $Data/LoggingComputer$ EventLevel: $Data/EventLevel$ Channel: $Data/Channel$ UserName: $Data/UserName$ EventNumber: $Data/EventNumber$ Event Time: $Data/@time$
Event Monitors (Alert Description):
EventDisplayNumber (Event ID): $Data/Context/EventDisplayNumber$ EventDescription (Description): $Data/Context/EventDescription$ Publisher Name (Event Source): $Data/Context/PublisherName$ EventCategory: $Data/Context/EventCategory$ LoggingComputer: $Data/Context/LoggingComputer$ EventLevel: $Data/Context/EventLevel$ Channel: $Data/Context/Channel$ UserName: $Data/Context/UserName$ EventNumber: $Data/Context/EventNumber$ Event Time: $Data/Context/@time$
Repeating Event Monitors (Alert Description):
EventDisplayNumber (Event ID): $Data/Context/Context/DataItem/EventDisplayNumber$ EventDescription (Description): $Data/Context/Context/DataItem/EventDescription$ Publisher Name (Event Source): $Data/Context/Context/DataItem/PublisherName$ EventCategory: $Data/Context/Context/DataItem/EventCategory$ LoggingComputer: $Data/Context/Context/DataItem/LoggingComputer$ EventLevel: $Data/Context/Context/DataItem/EventLevel$ Channel: $Data/Context/Context/DataItem/Channel$ UserName: $Data/Context/Context/DataItem/UserName$ EventNumber: $Data/Context/Context/DataItem/EventNumber$
Performance Threshold Monitors (Alert Description):
Object (Perf Object Name): $Data/Context/ObjectName$ Counter (Perf Counter Name): $Data/Context/CounterName$ Instance (Perf Instance Name): $Data/Context/InstanceName$ *Value (Perf Counter Value): $Data/Context/Value$ **Last Sampled Value $Data/Context/SampleValue$
*Value will show the actual performance value for simple and avg monitors. It will show number of samples for consecutive threshold monitors.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.
Service Monitors (Alert Description):
Service Name: $Data/Context/Property[@Name='Name']$ Service Dependencies: $Data/Context/Property[@Name='Dependencies']$ Service Binary Path: $Data/Context/Property[@Name='BinaryPathName']$ Service Display Name: $Data/Context/Property[@Name='DisplayName']$ Service Description: $Data/Context/Property[@Name='Description']$
Logfile Monitors (Alert Description):
Logfile Directory: $Data/Context/LogFileDirectory$ Logfile name: $Data/Context/LogFileName$ String: $Data/Context/Params/Param$
Logfile rules (Alert Description):
Logfile Directory: $Data/EventData/DataItem/LogFileDirectory$ Logfile name: $Data/EventData/DataItem/LogFileName$ String: $Data/EventData/DataItem/Params/Param$
General (Alert Description ONLY. Do NOT use $Target properties for notifications, except the explicitly allowed ones listed below in the notifications section):
To show the name of the Windows Computer host:
These are for notifications only.
$Data/Context/DataItem/AlertId$ The AlertID GUID $Data/Context/DataItem/AlertName$ The Alert Name $Data/Context/DataItem/AlertDescription$ The Alert Description $Data/Context/DataItem/Category$ The Alert category $Data/Context/DataItem/CreatedByMonitor$ True/False $Data/Context/DataItem/Custom1$ CustomField1 $Data/Context/DataItem/Custom2$ CustomField2 $Data/Context/DataItem/Custom3$ CustomField3 $Data/Context/DataItem/Custom4$ CustomField4 $Data/Context/DataItem/Custom5$ CustomField5 $Data/Context/DataItem/Custom6$ CustomField6 $Data/Context/DataItem/Custom7$ CustomField7 $Data/Context/DataItem/Custom8$ CustomField8 $Data/Context/DataItem/Custom9$ CustomField9 $Data/Context/DataItem/Custom10$ CustomField10 $Data/Context/DataItem/DataItemCreateTime$ UTC Date/Time of Dataitem created $Data/Context/DataItem/DataItemCreateTimeLocal$ LocalTime Date/Time of Dataitem created $Data/Context/DataItem/LastModified$ UTC Date/Time DataItem was modified $Data/Context/DataItem/LastModifiedLocal$ Local Date/Time DataItem was modified $Data/Context/DataItem/ManagedEntity$ ManagedEntity GUID $Data/Context/DataItem/ManagedEntityDisplayName$ ManagedEntity Display name $Data/Context/DataItem/ManagedEntityFullName$ ManagedEntity Full name $Data/Context/DataItem/ManagedEntityPath$ Managed Entity Path $Data/Context/DataItem/Priority$ The Alert Priority Number (High=1,Medium=2,Low=3) $Data/Context/DataItem/Owner$ The Alert Owner $Data/Context/DataItem/RepeatCount$ The Alert Repeat Count $Data/Context/DataItem/ResolutionState$ Resolution state ID (0=New, 255= Closed) $Data/Context/DataItem/ResolutionStateLastModified$ UTC Date/Time ResolutionState was last modified $Data/Context/DataItem/ResolutionStateLastModifiedLocal$ Local Date/Time ResolutionState was last modified $Data/Context/DataItem/ResolutionStateName$ The Resolution State Name (New, Closed) $Data/Context/DataItem/ResolvedBy$ Person resolving the alert $Data/Context/DataItem/Severity$ The Alert Severity ID $Data/Context/DataItem/TicketId$ The TicketID $Data/Context/DataItem/TimeAdded$ UTC Time Added $Data/Context/DataItem/TimeAddedLocal$ Local Time Added $Data/Context/DataItem/TimeRaised$ UTC Time Raised $Data/Context/DataItem/TimeRaisedLocal$ Local Time Raised $Data/Context/DataItem/TimeResolved$ UTC Date/Time the Alert was resolved $Data/Context/DataItem/WorkflowId$ The Workflow ID (GUID) $Data/Recipients/To/Address/Address$ The name of the recipient The Web Console URL: $Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/WebConsoleUrl$ The principalname of the management server: Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/PrincipalName$
is it possible to further filter Event Description ? In our case Event Description is comma separated and we just need one section of the Description. We have no choice to edit the source since its coming as syslog. I am looking for an option to format the Description on scom end with a message portion only. Any input would be greatly appreciated.
EventDescription (Description): $Data/EventDescription$
Either use event parameters, or… https://kevinholman.com/2016/04/01/how-to-monitor-for-event-logs-and-use-a-script-to-modify-the-output-a-composite-datasource/
Is it possible to get the netbios name of the machine raising the alert so I can send it via web api to our ticketing system? I have been looking and can find no place that the names are done in a standard format
Not easily. This is a common complaint. If you use the SDK to get your alerts, like Microsoft Orchestrator, then yes – this is a field.
Is there away to correlate the event level to an actual descriptive meaning? Consumers of my SCOM data don’t necessarily know what 1, 2, 3, map to. My notifications come through as so:
Event category: 1 Event ID:5740 Event Level: 2
I’d like the “Event Level 2” part to say “Event Level: Warning”
Also, anyway to force a new line between these instead of having them all on the same line?
Thank you! Your blogs are such a huge help in learning SCOM!
Is it possible to query the Computer Description field from Active Directory and the Server itself and bring to the console and E-Mail notifications?
Yes, but only to workflows that target that class with those properties. There is no simple way to add these things to EVERY alert, because SCOM is not computer oriented – it is object oriented. This type of “Alert Enrichment” can be done post alert creation, using something like SCORCH or 3rd party event consolidator tool.
I would like to understand that EventSource and EventID are coming as a part of huge Alert Description.
And now i would like to get EventSource and EventID in the subject line of the alert notification.
How can i trim this?
I want to add CustomField1 while creating alert in powershell unit monitor, How can I do that.
Unfortunately – you cannot add data to custom fields for alerts from monitors, at alert generation. You can however, edit the alert once it is created to add data to alerts from monitors. Sometimes people use scripts or connector tools to modify alerts after they are generated to add data like this.
Is there a way to convert a value in bytes in a performance monitor alert to kbytes?
You would have to re-write the monitor. We can use ScaleBy if we cannot change the datasource (like Perfmon) or we can pass the output to another datasourcemodule to make changes to it, or we can edit the datasource if it is something like a script that gathers the bytes value.
But once the propertybag is submitted into the Alert, there is no way to modify that data value/alert description.
Is there anything for the NETBIOS name instead of the FQDN name? I need to shorten my subject line.
Are there alert variables for SNMP traps that I can use in suppression?
Is it possible to add the value in the section. Eq IntervalSeconds (Overridable) to the Alert Description.
Would be nice to create an Alert description saying “Service XYZ was detected not running after 3 samples with interval of 90 seconds between.”
Yes, but this is a runtime value. You would have to place that into the Alert Description first, to have a meaningful impact on the notification.
Is it possible to refer to the file which is the result of executing script? I mean in description of the alert.
For ex. some file is damaged and monitoring script checking this and forwarding this information to the alert?
I did it like that but it doesn’t work.
I am using $Data[Default=’Not Present’]/Context$ ,it is able to output all from the alert’s alert context tab.
unfortunately it will also put in everything and they do not look good in the email.
is there a way to only grab selected field in alert context, for instance Details?
You can find this when you double click on an alert, and look under the Alert Context Tab.
Is it possible to add the Location value of the network device from a snmp device from System.NetworkManagement.Node in the E-Mail Notification without any Powershell scripts and custom fields.
I would like to put the Location type into the alert Mail but can’t find any solution.
Is there a way to customise the format of Event Time: $Data/@time$? It comes out as 2021-09-08T04:26:33.0053010-07:00.
I don’t think so, I don’t know any way to do that. Only thing I can think of is to add a property of formatted time and output that in your custom script datasource, and then add it to your alert description.
Is $Data/Channel$ the event log name in event rules?
We need to connect SCOM to APPdynamics, the most practical solution is to go through a channel command
We have a Powershell script that works but we cannot get the name of the server, in our example we are monitoring the health monitor , the result in the output txt file does not return the name of the server to us, have your idea, we have tried with $ Target / Host / Property [Type = ”Windows! Microsoft.Windows.Computer”] / NetworkName $ but this does not work.
Below our script:
# Import the Operations Manager module
$Out= $AlertName + ” : ” + $AlertDescription + ” : ” + $AlertOwner + ” : ” + $ManagedEntityPath + ” : ” + $ManagedEntityDisplayName + ” : ” + $ManagedEntityFullName + ” : ” + $ManagedEntity + ” : ” + $NetworkName
Set-Content “c:\Temp\Toto.txt” $Out
Result Output TXT:
Health : Service : Heartbeat : Failure : The : System : Center : Management : Health
Thank you for your help.