Menu Close

Adding custom information to alert descriptions and notifications

Alert Description Variables:

The following section contains variables for the Alert Description only.

For event Rules (Alert Description):

EventDisplayNumber (Event ID):              $Data/EventDisplayNumber$
EventDescription (Description):               $Data/EventDescription$
Publisher Name (Event Source):              $Data/PublisherName$
EventCategory:                                     $Data/EventCategory$
LoggingComputer:                                $Data/LoggingComputer$
EventLevel:                                          $Data/EventLevel$
Channel:                                              $Data/Channel$
UserName:                                           $Data/UserName$
EventNumber:                                      $Data/EventNumber$
Event Time:                                          $Data/@time$

For event Monitors (Alert Description):

EventDisplayNumber (Event ID):            $Data/Context/EventDisplayNumber$
EventDescription (Description):              $Data/Context/EventDescription$
Publisher Name (Event Source):             $Data/Context/PublisherName$
EventCategory:                                    $Data/Context/EventCategory$
LoggingComputer:                                $Data/Context/LoggingComputer$
EventLevel:                                         $Data/Context/EventLevel$
Channel:                                             $Data/Context/Channel$
UserName:                                          $Data/Context/UserName$
EventNumber:                                     $Data/Context/EventNumber$
Event Time:                                         $Data/Context/@time$

For Repeating Event Monitors (Alert Description):

EventDisplayNumber (Event ID):              $Data/Context/Context/DataItem/EventDisplayNumber$
EventDescription (Description):                $Data/Context/Context/DataItem/EventDescription$
Publisher Name (Event Source):              $Data/Context/Context/DataItem/PublisherName$
EventCategory:                                      $Data/Context/Context/DataItem/EventCategory$
LoggingComputer:                                  $Data/Context/Context/DataItem/LoggingComputer$
EventLevel:                                            $Data/Context/Context/DataItem/EventLevel$
Channel:                                                $Data/Context/Context/DataItem/Channel$
UserName:                                             $Data/Context/Context/DataItem/UserName$
EventNumber:                                         $Data/Context/Context/DataItem/EventNumber$

Performance Threshold Monitors (Alert Description):

Object (Perf Object Name):                    $Data/Context/ObjectName$
Counter (Perf Counter Name):                $Data/Context/CounterName$
Instance (Perf Instance Name):              $Data/Context/InstanceName$
*Value (Perf Counter Value):                  $Data/Context/Value$ 
**Last Sampled Value                            $Data/Context/SampleValue$

*Value will show the actual performance value for simple and avg monitors.  It will show number of samples for consecutive threshold monitors.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.

Service Monitors (Alert Description):

Service Name                         $Data/Context/Property[@Name=’Name’]$
Service Dependencies             $Data/Context/Property[@Name=’Dependencies’]$
Service Binary Path                $Data/Context/Property[@Name=’BinaryPathName’]$
Service Display Name             $Data/Context/Property[@Name=’DisplayName’]$
Service Description                 $Data/Context/Property[@Name=’Description’]$

Logfile Monitors (Alert Description):

Logfile Directory :                  $Data/Context/LogFileDirectory$
Logfile name:                        $Data/Context/LogFileName$
String:                                  $Data/Context/Params/Param[1]$

Logfile rules (Alert Description):

Logfile Directory:                   $Data/EventData/DataItem/LogFileDirectory$
Logfile name:                        $Data/EventData/DataItem/LogFileName$
String:                                  $Data/EventData/DataItem/Params/Param[1]$

General (Alert Description ONLY.  Do NOT use $Target properties for notifications, except the explicitly allowed ones listed below in the notifications section):

To show the name of the Windows Computer host:
$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$

 

Notification Variables:

These are for notifications only.

Notifications:

$Data/Context/DataItem/AlertId$                                       The AlertID GUID
$Data/Context/DataItem/AlertName$                                   The Alert Name
$Data/Context/DataItem/AlertDescription$                              The Alert Description
$Data/Context/DataItem/Category$                                    The Alert category
$Data/Context/DataItem/CreatedByMonitor$                       True/False
$Data/Context/DataItem/Custom1$                                     CustomField1
$Data/Context/DataItem/Custom2$                                    CustomField2
$Data/Context/DataItem/Custom3$                                    CustomField3
$Data/Context/DataItem/Custom4$                                    CustomField4
$Data/Context/DataItem/Custom5$                                    CustomField5
$Data/Context/DataItem/Custom6$                                     CustomField6
$Data/Context/DataItem/Custom7$                                     CustomField7
$Data/Context/DataItem/Custom8$                                     CustomField8
$Data/Context/DataItem/Custom9$                                     CustomField9
$Data/Context/DataItem/Custom10$                                  CustomField10
$Data/Context/DataItem/DataItemCreateTime$                      UTC Date/Time of Dataitem created
$Data/Context/DataItem/DataItemCreateTimeLocal$               LocalTime Date/Time of Dataitem created
$Data/Context/DataItem/LastModified$                                 UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$                          Local Date/Time DataItem was modified
$Data/Context/DataItem/ManagedEntity$                               ManagedEntity GUID
$Data/Context/DataItem/ManagedEntityDisplayName$             ManagedEntity Display name
$Data/Context/DataItem/ManagedEntityFullName$                   ManagedEntity Full name
$Data/Context/DataItem/ManagedEntityPath$                          Managed Entity Path
$Data/Context/DataItem/Priority$                                          The Alert Priority Number (High=1,Medium=2,Low=3)
$Data/Context/DataItem/Owner$                                           The Alert Owner
$Data/Context/DataItem/RepeatCount$                                  The Alert Repeat Count
$Data/Context/DataItem/ResolutionState$                               Resolution state ID (0=New, 255= Closed)
$Data/Context/DataItem/ResolutionStateLastModified$                 UTC Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateLastModifiedLocal$          Local Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateName$                       The Resolution State Name (New, Closed)
$Data/Context/DataItem/ResolvedBy$                                     Person resolving the alert
$Data/Context/DataItem/Severity$                                          The Alert Severity ID
$Data/Context/DataItem/TicketId$                                           The TicketID
$Data/Context/DataItem/TimeAdded$                                       UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$                               Local Time Added
$Data/Context/DataItem/TimeRaised$                                      UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$                              Local Time Raised
$Data/Context/DataItem/TimeResolved$                                  UTC Date/Time the Alert was resolved
$Data/Context/DataItem/WorkflowId$                                      The Workflow ID (GUID)
$Data/Recipients/To/Address/Address$                                    The name of the recipient

The Web Console URL:
$Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”/WebConsoleUrl$

The principalname of the management server:
Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”/PrincipalName$

7 Comments

  1. Vinod

    Hello Holman,
    is it possible to further filter Event Description ? In our case Event Description is comma separated and we just need one section of the Description. We have no choice to edit the source since its coming as syslog. I am looking for an option to format the Description on scom end with a message portion only. Any input would be greatly appreciated.

    EventDescription (Description): $Data/EventDescription$

  2. Rick Bywalski

    Is it possible to get the netbios name of the machine raising the alert so I can send it via web api to our ticketing system? I have been looking and can find no place that the names are done in a standard format

  3. Anthony W

    Is there away to correlate the event level to an actual descriptive meaning? Consumers of my SCOM data don’t necessarily know what 1, 2, 3, map to. My notifications come through as so:
    Event category: 1 Event ID:5740 Event Level: 2

    I’d like the “Event Level 2” part to say “Event Level: Warning”

    Also, anyway to force a new line between these instead of having them all on the same line?

    Thank you! Your blogs are such a huge help in learning SCOM!

  4. Neol A

    Hi Kevin,

    Is it possible to query the Computer Description field from Active Directory and the Server itself and bring to the console and E-Mail notifications?

    • Kevin Holman

      Yes, but only to workflows that target that class with those properties. There is no simple way to add these things to EVERY alert, because SCOM is not computer oriented – it is object oriented. This type of “Alert Enrichment” can be done post alert creation, using something like SCORCH or 3rd party event consolidator tool.

Leave a Reply

Your email address will not be published. Required fields are marked *