Menu Close

Adding custom information to alert descriptions and notifications

Alert Description Variables:

The following section contains variables for the Alert Description only.

For event Rules (Alert Description):

EventDisplayNumber (Event ID):              $Data/EventDisplayNumber$
EventDescription (Description):               $Data/EventDescription$
Publisher Name (Event Source):              $Data/PublisherName$
EventCategory:                                     $Data/EventCategory$
LoggingComputer:                                $Data/LoggingComputer$
EventLevel:                                          $Data/EventLevel$
Channel:                                              $Data/Channel$
UserName:                                           $Data/UserName$
EventNumber:                                      $Data/EventNumber$
Event Time:                                          $Data/@time$

For event Monitors (Alert Description):

EventDisplayNumber (Event ID):            $Data/Context/EventDisplayNumber$
EventDescription (Description):              $Data/Context/EventDescription$
Publisher Name (Event Source):             $Data/Context/PublisherName$
EventCategory:                                    $Data/Context/EventCategory$
LoggingComputer:                                $Data/Context/LoggingComputer$
EventLevel:                                         $Data/Context/EventLevel$
Channel:                                             $Data/Context/Channel$
UserName:                                          $Data/Context/UserName$
EventNumber:                                     $Data/Context/EventNumber$
Event Time:                                         $Data/Context/@time$

For Repeating Event Monitors (Alert Description):

EventDisplayNumber (Event ID):              $Data/Context/Context/DataItem/EventDisplayNumber$
EventDescription (Description):                $Data/Context/Context/DataItem/EventDescription$
Publisher Name (Event Source):              $Data/Context/Context/DataItem/PublisherName$
EventCategory:                                      $Data/Context/Context/DataItem/EventCategory$
LoggingComputer:                                  $Data/Context/Context/DataItem/LoggingComputer$
EventLevel:                                            $Data/Context/Context/DataItem/EventLevel$
Channel:                                                $Data/Context/Context/DataItem/Channel$
UserName:                                             $Data/Context/Context/DataItem/UserName$
EventNumber:                                         $Data/Context/Context/DataItem/EventNumber$

Performance Threshold Monitors (Alert Description):

Object (Perf Object Name):                    $Data/Context/ObjectName$
Counter (Perf Counter Name):                $Data/Context/CounterName$
Instance (Perf Instance Name):              $Data/Context/InstanceName$
*Value (Perf Counter Value):                  $Data/Context/Value$ 
**Last Sampled Value                            $Data/Context/SampleValue$

*Value will show the actual performance value for simple and avg monitors.  It will show number of samples for consecutive threshold monitors.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.

Service Monitors (Alert Description):

Service Name                         $Data/Context/Property[@Name=’Name’]$
Service Dependencies             $Data/Context/Property[@Name=’Dependencies’]$
Service Binary Path                $Data/Context/Property[@Name=’BinaryPathName’]$
Service Display Name             $Data/Context/Property[@Name=’DisplayName’]$
Service Description                 $Data/Context/Property[@Name=’Description’]$

Logfile Monitors (Alert Description):

Logfile Directory :                  $Data/Context/LogFileDirectory$
Logfile name:                        $Data/Context/LogFileName$
String:                                  $Data/Context/Params/Param[1]$

Logfile rules (Alert Description):

Logfile Directory:                   $Data/EventData/DataItem/LogFileDirectory$
Logfile name:                        $Data/EventData/DataItem/LogFileName$
String:                                  $Data/EventData/DataItem/Params/Param[1]$

General (Alert Description ONLY.  Do NOT use $Target properties for notifications, except the explicitly allowed ones listed below in the notifications section):

To show the name of the Windows Computer host:
$Target/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$

 

Notification Variables:

These are for notifications only.

Notifications:

$Data/Context/DataItem/AlertId$                                       The AlertID GUID
$Data/Context/DataItem/AlertName$                                   The Alert Name
$Data/Context/DataItem/AlertDescription$                              The Alert Description
$Data/Context/DataItem/Category$                                    The Alert category
$Data/Context/DataItem/CreatedByMonitor$                       True/False
$Data/Context/DataItem/Custom1$                                     CustomField1
$Data/Context/DataItem/Custom2$                                    CustomField2
$Data/Context/DataItem/Custom3$                                    CustomField3
$Data/Context/DataItem/Custom4$                                    CustomField4
$Data/Context/DataItem/Custom5$                                    CustomField5
$Data/Context/DataItem/Custom6$                                     CustomField6
$Data/Context/DataItem/Custom7$                                     CustomField7
$Data/Context/DataItem/Custom8$                                     CustomField8
$Data/Context/DataItem/Custom9$                                     CustomField9
$Data/Context/DataItem/Custom10$                                  CustomField10
$Data/Context/DataItem/DataItemCreateTime$                      UTC Date/Time of Dataitem created
$Data/Context/DataItem/DataItemCreateTimeLocal$               LocalTime Date/Time of Dataitem created
$Data/Context/DataItem/LastModified$                                 UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$                          Local Date/Time DataItem was modified
$Data/Context/DataItem/ManagedEntity$                               ManagedEntity GUID
$Data/Context/DataItem/ManagedEntityDisplayName$             ManagedEntity Display name
$Data/Context/DataItem/ManagedEntityFullName$                   ManagedEntity Full name
$Data/Context/DataItem/ManagedEntityPath$                          Managed Entity Path
$Data/Context/DataItem/Priority$                                          The Alert Priority Number (High=1,Medium=2,Low=3)
$Data/Context/DataItem/Owner$                                           The Alert Owner
$Data/Context/DataItem/RepeatCount$                                  The Alert Repeat Count
$Data/Context/DataItem/ResolutionState$                               Resolution state ID (0=New, 255= Closed)
$Data/Context/DataItem/ResolutionStateLastModified$                 UTC Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateLastModifiedLocal$          Local Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateName$                       The Resolution State Name (New, Closed)
$Data/Context/DataItem/ResolvedBy$                                     Person resolving the alert
$Data/Context/DataItem/Severity$                                          The Alert Severity ID
$Data/Context/DataItem/TicketId$                                           The TicketID
$Data/Context/DataItem/TimeAdded$                                       UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$                               Local Time Added
$Data/Context/DataItem/TimeRaised$                                      UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$                              Local Time Raised
$Data/Context/DataItem/TimeResolved$                                  UTC Date/Time the Alert was resolved
$Data/Context/DataItem/WorkflowId$                                      The Workflow ID (GUID)
$Data/Recipients/To/Address/Address$                                    The name of the recipient

The Web Console URL:
$Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”/WebConsoleUrl$

The principalname of the management server:
Target/Property[Type=”Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer”/PrincipalName$

13 Comments

  1. Vinod

    Hello Holman,
    is it possible to further filter Event Description ? In our case Event Description is comma separated and we just need one section of the Description. We have no choice to edit the source since its coming as syslog. I am looking for an option to format the Description on scom end with a message portion only. Any input would be greatly appreciated.

    EventDescription (Description): $Data/EventDescription$

  2. Rick Bywalski

    Is it possible to get the netbios name of the machine raising the alert so I can send it via web api to our ticketing system? I have been looking and can find no place that the names are done in a standard format

  3. Anthony W

    Is there away to correlate the event level to an actual descriptive meaning? Consumers of my SCOM data don’t necessarily know what 1, 2, 3, map to. My notifications come through as so:
    Event category: 1 Event ID:5740 Event Level: 2

    I’d like the “Event Level 2” part to say “Event Level: Warning”

    Also, anyway to force a new line between these instead of having them all on the same line?

    Thank you! Your blogs are such a huge help in learning SCOM!

  4. Neol A

    Hi Kevin,

    Is it possible to query the Computer Description field from Active Directory and the Server itself and bring to the console and E-Mail notifications?

    • Kevin Holman

      Yes, but only to workflows that target that class with those properties. There is no simple way to add these things to EVERY alert, because SCOM is not computer oriented – it is object oriented. This type of “Alert Enrichment” can be done post alert creation, using something like SCORCH or 3rd party event consolidator tool.

  5. Rahul

    Hi,

    I would like to understand that EventSource and EventID are coming as a part of huge Alert Description.
    And now i would like to get EventSource and EventID in the subject line of the alert notification.
    How can i trim this?

    Please help.

    • Kevin Holman

      Unfortunately – you cannot add data to custom fields for alerts from monitors, at alert generation. You can however, edit the alert once it is created to add data to alerts from monitors. Sometimes people use scripts or connector tools to modify alerts after they are generated to add data like this.

    • Kevin Holman

      You would have to re-write the monitor. We can use ScaleBy if we cannot change the datasource (like Perfmon) or we can pass the output to another datasourcemodule to make changes to it, or we can edit the datasource if it is something like a script that gathers the bytes value.

      But once the propertybag is submitted into the Alert, there is no way to modify that data value/alert description.

Leave a Reply

Your email address will not be published. Required fields are marked *