locked
How to create an alert view with NOT INCLUDING alerts from specific site? RRS feed

  • Question

  • Hi,

    Does anyone have a working solution for creating an alert view which would filter alerts so that all alerts would be shown except ones from "Sitename = HQ"?

    I am aware that it is very easy to create an alert view which shows alerts with "Sitename = HQ", but this is the exact opposite.

    Also it would resolve this issue if I could add Sitename property to normal management server. I know that the sitename attribute resides in SQL database for GW's, but I have not tested yet if it is possible to add one for a management server (manually directly to the DB). I am quite sure that would not be supported either.

    Thanks for all ideas to get around this problem!

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Tuesday, December 21, 2010 1:24 PM

Answers

  • If sites map to subnets, you could perhaps group computers based on IP address and then alert based on custom groups

    Dynamic Group Population by Subnet(s) in SCOM 2007 - Advanced Formula Examples


    Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com
    Tuesday, December 21, 2010 2:54 PM
  • Hi Tero, I am not sure. But what i was talking about is to group all Servers in one group. This should automatically include all objects contained within that level (so websites and databases hosted on that box). This is the same as when you would use Site or IP range(s) to define the objects together as a group of entities.

    It all depends on the info you have available. for instance for servers and network devices you can use the ip address to create groupings (Pete Zerger has a few posts on that). Or you could use SiteName if that is defined on those items. Next option would be to group servers and devices based on their naming convention. Windows servers on basis of AD site name(s) is possible. And of course like I suggested there is also creating a group for HQ in some way and create another one that contains the opposite. or actually directly create not-contains or not-equals rules of some sort.

    But again, normally you would use the top level objects here. Network Device, Windows Server, Unix Server. And those contain all objects below that level (websites/databases/exchange role/network adapter/whatever), so you should go for those top levels to bring those together. Most likely by one of the criteria I just mentioned. IP or AD site or sitename (through another way), naming convention, or picking the smallest group of objects and excluding that one from the larger group. These mostly should work automatically as well without manual changes all the time. Other option left (and not funny with big numbers) is to create a Savision Live Map/List and quick select the objects and drop them all on the map or list.
    These options must bring you somewhere.


    Bob Cornelissen - BICTT (My BICTT Blog)
    Thursday, April 21, 2011 11:04 AM

All replies

  • If sites map to subnets, you could perhaps group computers based on IP address and then alert based on custom groups

    Dynamic Group Population by Subnet(s) in SCOM 2007 - Advanced Formula Examples


    Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com
    Tuesday, December 21, 2010 2:54 PM
  • Thanks Pete for the reply.

    I believe that is not the solution as that will not get all the members required to the group. I mean not all the alerts will be created by windows computer objects but perhaps IIS's, SQL Servers, network devices, ESX hosts and the list goes on.

    Due to the amount of servers (several hundreds) with several naming standards and A LOT of IP ranges, I think grouping would be impossible to handle in long term. I have registry keys in place in all of the monitored computers so I can group them by the registry value, but not able to do it by the requirements stated in my first post.

    I will still test your suggestion if windows computer object will also include all the alerts created by the objects descending from windows computer. Haven't played a lot with the view's yet, but I guess there's first time for everything ;)

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Tuesday, December 21, 2010 4:13 PM
  • What is the target type of the Alert View (Show Data related to ____)?  Is it Management Servers?


    Michael Pearson
    OpsMgr Performance Test Team
    http://blogs.technet.com/michaelpearson/

    This posting is provided "AS IS" with no warranties, and confers no rights. Use of attachments are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    Tuesday, December 21, 2010 6:50 PM
  • Hi Tero,

    Try to use a regexp for that:

    From a specific Site = [^(SiteName that you want to exclude)] 

    HTH


    http://OpsMgr.ru/
    Wednesday, December 22, 2010 3:13 PM
  • Michael:

    show data related to entity. Goal is to show all alerts except ones coming from a specific site

    Alexey:

    I played with the view creation, but it seems that you can only use SQL wildcards % and _ in the query. Therefore there is no "not" operator. Regular expressions don't seem to work either.

     


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Wednesday, December 22, 2010 11:55 PM
  • I went all the way to check how the filter is saved to OperationsManager DB and where the information exactly is. All the views in monitoring tab can be found via SQL view dbo.ViewsView. ConfigurationXml column in the view has the information how to filter the view in SCOM.

    At the moment I was able to pick the how Sitename is defined in the configurationxml column. Its like this "<Criteria><Site>Testsite</Site></Criteria>". Right now I am still unaware how/where that xml is afterwards used so I am unable to figure this one out fully yet.

    This is probably the hard way, all other suggestions are very welcome!

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Thursday, December 23, 2010 12:37 AM
  • Tero,

    Like you mention, they SQL query that is generated adds a "%" to whatever you put into your filter criteria.  Unfortunatly, a "not" filter doesn't exist.  The only way we've gotten customers around this in the past was to turn the logic around completly.  This isn't the easiest solution, but it can sometimes work.

    Instead of "SiteName Not like <sit to exclude>" try "SiteName like <Site 1> or <Site 2> <or <Site 3>" until you have all of the sites listed.  This is not ideal, but it should work for you.  Be careful as you add sites though, since you'd need to add that site to this list to get the alerts!


    Michael Pearson
    OpsMgr Performance Test Team
    http://blogs.technet.com/michaelpearson/

    This posting is provided "AS IS" with no warranties, and confers no rights. Use of attachments are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
    • Marked as answer by Vivian Xing Monday, December 27, 2010 8:56 AM
    • Unmarked as answer by Tero Ilenius Wednesday, December 29, 2010 10:58 AM
    Friday, December 24, 2010 5:56 PM
  • Thanks for the response Michael. However... :)

    There still is the issue that we have agents connected to normal management servers and those do not have the Sitename attribute defined. And as far as I know, it is still not supported in anyway by Microsoft. So I am still unable to resolve the problem with the suggested workaround.

    I think I am going to investigate more to set normal management servers the Sitename attribute in a test environment.

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Wednesday, December 29, 2010 10:57 AM
  • I totally agree that we need a NOT clause for alert views!

    I was totally unaware of this Site concept. We have GWs but they do not set the Site property for alerts(coming from computers managed by gws).

    You could probably use a notification channel (triggering a command) to set the site on alerts not having one defined, or use Orchestrator (Opalis) do the same.

    Or some other mechanism.

    /Roger


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 14, 2011 11:59 AM
  • Perhaps going back to before... You mention that it is easy to create the group for HQ. And you want to opposite. You can create a group covering everything, except the members of the HQ group. That would give you the group of "everything else". Perhaps that will help you?
    Bob Cornelissen - BICTT (My BICTT Blog)
    Monday, April 18, 2011 8:29 AM
  • I don't think you can resolve this issue with groups as what I want to achieve is to create a view that would show me all alerts coming from anywhere else except "site = HQ". This concerns alerts, not objects. Objects can be whatever as long as they are not in a certain site so what would I pick to the group?

    -Tero


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Tuesday, April 19, 2011 10:41 AM
  • Hi Tero. Well because the alerts are coming from objects in those other locations. So if you could group them together you can apply the filter. If you create a group containing all servers/devices in the HQ in some way. Than you can create a group with all objects not belonging to the HQ group (exclude that group from the members). And you can create an alert view for all alerts coming from HQ and all alerts coming from the "rest" group.
    Bob Cornelissen - BICTT (My BICTT Blog)
    Wednesday, April 20, 2011 5:43 AM
  • Hi Bob and thanks for the ideas. I agree it would work by selecting objects to a group if world was perfect. BUT we are talking about hundreds of object types. If you were able to select objects like "this entity and all objects that have been created from the selected entity" then it might be possible, but unfortunately world is not perfect - not even SCOM - I belive this is not possible. So then we are back to start, not able to select all objects of different types, because there are too many of them to be controlled.


    MCT | MCSE | MCITP | MCTS SCOM, SCCM, SCVMM, SCDPM
    Thursday, April 21, 2011 10:28 AM
  • Hi Tero, I am not sure. But what i was talking about is to group all Servers in one group. This should automatically include all objects contained within that level (so websites and databases hosted on that box). This is the same as when you would use Site or IP range(s) to define the objects together as a group of entities.

    It all depends on the info you have available. for instance for servers and network devices you can use the ip address to create groupings (Pete Zerger has a few posts on that). Or you could use SiteName if that is defined on those items. Next option would be to group servers and devices based on their naming convention. Windows servers on basis of AD site name(s) is possible. And of course like I suggested there is also creating a group for HQ in some way and create another one that contains the opposite. or actually directly create not-contains or not-equals rules of some sort.

    But again, normally you would use the top level objects here. Network Device, Windows Server, Unix Server. And those contain all objects below that level (websites/databases/exchange role/network adapter/whatever), so you should go for those top levels to bring those together. Most likely by one of the criteria I just mentioned. IP or AD site or sitename (through another way), naming convention, or picking the smallest group of objects and excluding that one from the larger group. These mostly should work automatically as well without manual changes all the time. Other option left (and not funny with big numbers) is to create a Savision Live Map/List and quick select the objects and drop them all on the map or list.
    These options must bring you somewhere.


    Bob Cornelissen - BICTT (My BICTT Blog)
    Thursday, April 21, 2011 11:04 AM
  • Hello. No activity for over 30 days. Will mark as answer. Feel free to re-open. Thanks
    --------------------------------------------------------------------------------
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Sunday, September 18, 2011 10:05 AM