none
Enabling SCOM Notification subscription via powershell and not sending alerts from the disabled period RRS feed

  • Question

  • Morning all,

    I've got an instance in SCOM 2012 where I'm using a powershell script running every night at midnight to close a bunch of alerts.  I do not want these alerts to generate "closed" notifications as one of the subscribers is SMS (and will be woken up).

    I've tried using:

    - The 'With a specific resolution state' of 0 in the criteria of the subscription - This results in no alerts, whether they are open or closed

    - disabling and enabling the notification subscription before and after closing the alerts in the script using the commands 'Disable-SCOMNotificationSubscription' and 'Enable-SCOMNotificationSubscription ' - This still results in the alerts.

    I haven't tried putting the devices into maint mode.

    Any ideas?  We are running V7.0.8560.0 of SCOM 2012

    thanks

    John H

    Thursday, May 16, 2013 9:27 AM

Answers

  • Alerts took several days to close manually?  Not sure why that's the case, unless you have very poor performance.  Anyway, I don't see a problem leaving alerts in the console, unless you have the rule created to not do repeat count increments.  I remember in our lab, one day, we had 34K alerts.  All but 200 alerts, were coming from one computer.  The computer was a bit hosed, and was logging an event that was being picked up by a rule with no alert consolidation.  I highlighted all 34K and closed them and it only took a few seconds...  Then I had someone bounce the server that was causing the issue.

    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, May 16, 2013 3:58 PM
    Moderator

All replies

  • Why are you closing alerts on a nightly basis?  That's creating more work for your ops db if these alerts reappear every day.  You should probably leave them in the console and let the default grooming knock them out, or start to investigate if these alerts are even needed imho.

    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, May 16, 2013 3:38 PM
    Moderator
  • thanks for the reply.

    In short, these alerts are created by a custom application of ours writing to the event log.  This is then picked up by a single custom SCOM rule, but the description of the alert contains the actual error.  You're looking at about 60 or so alerts being raised in this way per day.

    I understand that the better way of working is for the team in charge of this system to manually close alerts when they're finished with them but this is not possible at the moment.  When I originally enforced this, we ended up with a load of open alerts, which took several days to close manually.

    Thursday, May 16, 2013 3:45 PM
  • Alerts took several days to close manually?  Not sure why that's the case, unless you have very poor performance.  Anyway, I don't see a problem leaving alerts in the console, unless you have the rule created to not do repeat count increments.  I remember in our lab, one day, we had 34K alerts.  All but 200 alerts, were coming from one computer.  The computer was a bit hosed, and was logging an event that was being picked up by a rule with no alert consolidation.  I highlighted all 34K and closed them and it only took a few seconds...  Then I had someone bounce the server that was causing the issue.

    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, May 16, 2013 3:58 PM
    Moderator
  • There were about a million alerts by the time somebody noticed (SCOM was in its infancy and was not being checked).  The issue was that the console just could handle me selecting more than 10k or 20k of said alerts and powershell scripts just sat there and timed out.

    Thursday, May 16, 2013 4:02 PM
  • Sounds like your operations team needs to be water boarded.  Good luck man.

    Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.

    Thursday, May 16, 2013 4:05 PM
    Moderator
  • Old post, but for anyone still looking for a way to do this

    Use VS to write a PS ?module and use the SCOM API libraries

    s.Update(True) tells SCOM to enable a notification subscription with a reset to prevent an alert storm

    foreach (NotificationSubscription s in newNotificationList)
                    {
                            WriteObject("Enabling subscription: " + s.DisplayName);
                            s.Enabled = true;
                            s.Update(true);
                    }


    Warm Fuzzies!

    Monday, November 6, 2017 6:59 PM
  • I have the same issue, and interested in the result.  You'd think you could use "Enable-SCOMNotificationSubscription" but flag only new alerts, like the GUI Console allows when you manually enable a subscription.  Sadly, I have not found the right field / parameter for the SCOM PS1 cmdlet to do this.

    B. Wright

    Tuesday, November 7, 2017 5:05 PM