none
alert rule, suppress after first event for some time, condition detection PublisherName RRS feed

  • Question

  • Hello

    Each problem with application have same eventid / PublisherName but different description

    So you can see there are a lot of alerts, but there are the same with the same description


    We need to suppress any alert with uniq description from event id for 1 hour

    What condition detection mode should i use, and event can i suppress it using description ?

    Original rule without any suppression:

    <Rule ID="NetworkAdvisor.FabricView.EventRuleWarning" Enabled="true" Target="System!System.Computer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
    	<Category>Custom</Category>
    	<DataSources>
    		<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
    			<ComputerName>.</ComputerName>
    			<LogName>Application</LogName>
    			<Expression>
    				<And>
    					<Expression>
    						<Or>
    							<Expression>
    								<SimpleExpression>
    									<ValueExpression>
    										<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
    									</ValueExpression>
    									<Operator>Equal</Operator>
    									<ValueExpression>
    										<Value Type="UnsignedInteger">3</Value>
    									</ValueExpression>
    								</SimpleExpression>
    							</Expression>
    							<Expression>
    								<SimpleExpression>
    									<ValueExpression>
    										<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
    									</ValueExpression>
    									<Operator>Equal</Operator>
    									<ValueExpression>
    										<Value Type="UnsignedInteger">4</Value>
    									</ValueExpression>
    								</SimpleExpression>
    							</Expression>
    							<Expression>
    								<SimpleExpression>
    									<ValueExpression>
    										<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
    									</ValueExpression>
    									<Operator>Equal</Operator>
    									<ValueExpression>
    										<Value Type="UnsignedInteger">5</Value>
    									</ValueExpression>
    								</SimpleExpression>
    							</Expression>
    						</Or>
    					</Expression>
    					<Expression>
    						<SimpleExpression>
    							<ValueExpression>
    								<XPathQuery Type="String">PublisherName</XPathQuery>
    							</ValueExpression>
    							<Operator>Equal</Operator>
    							<ValueExpression>
    								<Value Type="String">DCM</Value>
    							</ValueExpression>
    						</SimpleExpression>
    					</Expression>
    				</And>
    			</Expression>
    		</DataSource>
    	</DataSources>
    	<WriteActions>
    		<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
    			<Priority>1</Priority>
    			<Severity>1</Severity>
    			<AlertName />
    			<AlertDescription />
    			<AlertOwner />
    			<AlertMessageId>$MPElement[Name="NetworkAdvisor.FabricView.EventRule.AlertMessage"]$</AlertMessageId>
    			<AlertParameters>
    				<AlertParameter1>$Data/EventDescription$</AlertParameter1>
    			</AlertParameters>
    			<Suppression />
    			<Custom1 />
    			<Custom2 />
    			<Custom3 />
    			<Custom4 />
    			<Custom5 />
    			<Custom6 />
    			<Custom7 />
    			<Custom8 />
    			<Custom9 />
    			<Custom10 />
    		</WriteAction>
    	</WriteActions>
    </Rule>

    As i understand its not good idea to filter by description, but its only way to detect problem in alert storm

    Many thanks


    none


    • Edited by SComrrr Saturday, October 5, 2019 10:12 AM
    Saturday, October 5, 2019 10:03 AM

All replies

  • Not sure if you can do a suppression on description... Or apparently not.  See this:  https://docs.microsoft.com/en-us/previous-versions/system-center/developer/ee809352(v=msdn.10)?redirectedfrom=MSDN

    Worst case, you would need to create a rule per description and have it supressed.

    Monday, October 7, 2019 12:48 PM
  • I think that it is not possible to suppress an rule alert for description under your current setting.
    Recommend workaround
    1) disable original alert rule.
    1) Create two rules.
    2) the first one is same as original ones except the event with the description which you want to suppress
    3) The second ones is monitoring the event with per-design description.
    4) Enable the second rule suppression setting
    Roger
    Tuesday, October 8, 2019 5:36 AM
  • Dont thnk ive tried to do it by alert description.

    However you could perhaps pass some kind of value into a Custom Field with consistent descritpions and try to group them by the Custom Field in that way.

    You could suppress them by the value in the Custom Field


    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Tuesday, October 8, 2019 8:48 AM