Resources For IT Professionals
Monitors can be configured to create an alert when they change from a healthy state to a warning state or a critical state. This alerting can be enabled on a monitor but just enabling the option, but other details of the alert should be considered.
The name of the alert is a single line of static text and cannot include any variables.
The Alert severity defines the alert as an Information, Warning, or Critical alert. This severity does not have to match the severity of the health state triggering the alert. The severity of the alert is identified by an icon in the Operations console and is used by views and notification subscriptions. The alert priority is inaccessible in the Operations console but is used primarily for notification subscriptions.
Alert suppression is not required for monitors because alerts are only created when the monitor changes state. For example, consider a monitor that samples a performance counter on a regular interval. When the threshold is exceeded, the monitor changes to a critical state and creates an alert. The next time that the monitor samples the counter its value still exceeds the threshold. The monitor does not change state because that monitor is already in a critical state. Because the monitor does not change state, no alert is created.
Monitors that create alerts can be configured to automatically resolve the alert when the monitor returns to a healthy state. This means that any unresolved alert for the monitor represents a problem that still exists. There is no configuration this requirement other than confirming the option that automatic resolution be performed.
The alert description may have several lines of text that can include a combination of static text and variables. The most common kind of variable in the alert description will be $Data variables to include different information from the monitor’s data source in the description of the alert. The properties that are available will depend on the kind of data source being used. Each section of Data Sources includes a list of the properties available for different data sources. The following sections provide details and examples of variables in monitor alerts created from the different data sources:
Event monitors that use detection logic other than a simple event will have summary properties available in addition to the events collected by the monitor. These properties provide information such as the details of the time window used for the monitor or the count of the particular events collected. The summary properties available for monitors using different detection logic are shown in the following table:
| Detection Logic | Summary Property | Description |
| Repeated Events Missing Events |
TimeWindowStarts | Time that the time window started |
| TimeWindowEnds | Time that the time window ended | |
| TimeFirst | Time of the first event | |
| TimeLast | Time of the last evenng> | Description |
| Repeated Events Missing Events |
||
| Count | Number of events that are collected in the time window | |
| Correlated Events Correlated Missing Events |
Item0Count | Number of the first event that are collected |
| Item1Count | Number of the second event that are collected |
The syntax for Windows event monitors are shown in the following table. For a simple Windows event monitor, just the event properties are available. The list of event properties for each type of event data source are available in the Events section. For other detection logic, the properties of the event are available in addition to the summary properties listed in the previous table.
| Detection Logic | Syntax | Example |
| Simple Event |
$Data/Context/<Event Property Name>$ |
$Data/Context/EventDescription$ |
| $Data/Context/Params/Param[#]$ |
$Data/Context/Params/Param[2]$ |
|
| Repeated Event |
$Data/Context/<Summary Property Name>$ |
$Data/Context/Count$ |
| $Data/Context/Context/DataItem/<Event Property Name>$
|
$Data/Context/Context/DataItem/EventDescription$
|
|
| $Data/Context/Context/DataItem/Params/Param[#]$ |
$Data/Context/Context/DataItem/Params/Param[2]$ |
|
| Correlated Event |
$Data/Context/<Summary Property Name>$ |
$Data/Context/Item0Count$ |
| $Data/Context/Item#Context/DataItem/<Event Property Name>$
|
$Data/Context/Item0Context/DataItem/EventDescription $
|
|
| $Data/Context/Item#Context/DataItem/Params/Param[#]$
|
$Data/Context/Item1Context/DataItem/Params/Param[2]$
|
|
| Correlated Missing Event |
$Data/Context/<Summary Property Name>$ |
$Data/Context/Item0Count$ |
| $Data/Context/Item#Context/DataItem/<Event Property Name>$
|
$Data/Context/Item0Context/DataItem/ EventDescription$
|
|
| $Data/Context/Item#Context/DataItem/Params/Param[#]$
|
$Data/Context/Item1Context/DataItem/Params/Param[2]$
|
|
| Missing Event |
$Data/Context/<Summary Property Name>$ |
$Data/Context/Count$ |
| $Data/Context/Context/DataItem/<Event Property Name>$ | $Data/Context/Context/DataItem/ EventDescription$ | |
| $Data/Context/Context/DataItem/Params/Param[#]$ | $Data/Context/Context/DataItem/Params/Param[2]$ |
The syntax for text log event monitor properties are show in the following table. For a simple text log event monitor, just the event properties are available. The list of event properties for each type of event data source are available in the Events section. For repeated event monitors, the properties of the event are available in addition to the summary properties listed in the previous table.
| Detection Logic | Syntax | Example |
| Simple Event |
$Data/Context/<Event Property Name>$ | $Data/Context/LogFileName$ |
| $Data/Context/Params/Param[#]$ | $Data/Context/Params/Param[2]$ | |
| Repeated Event |
$Data/Context/<Summary Property Name>$ | $Data/Context/Count$ |
| $Data/Context/Context/DataItem/<Event Property Name>$ | $Data/Context/Context/DataItem/LogFileName$ | |
| $Data/Context/Context/DataItem/Params/Param[#]$ | $Data/Context/Context/DataItem/Params/Param[2]$ |
The syntax for WMI event monitors properties are shown in the following table. These are more complex than Windows event monitors because the collection must be specified. Further details on these properties are available in the Events section. For repeated event monitors, the properties of the event are available in addition to the summary properties listed in the previous table.
| Detection Logic | Syntax | Example | ||
| Simple Event | $Data/Context/Collection[@Name='<TargetInstance|PreviousInstance>']/Property[@Name='<PropertyName>']$ | $Data/Context/Collection[@Name='TargetInstance']/Property[@Name='Name']$ | ||
| Repeated Event | $Data/Context/<Summary Property Name>$ | $Data/Context/Count$ | ||
$Data/Context/Context/DataItem/Collection[@Name='<TargetInstance|PreviousInstance>']/Propert| Detection Logic |
Syntax |
Example |
$Data/Context/Context/DataItem/Collection[@Name='TargetInstance']/Property[@Name='Name']$
|
|
Performance monitors use the same syntax for both data sources as shown in the following table. The properties available are listed in Performance Data.
| Data Source | Syntax | Examples |
| Windows Performance | $Data/Context/<PropertyName>]$ | $Data/Context/Value$ |
| WMI Performance | $Data/Context/<PropertyName>]$ | $Data/Context/Value$ |
Script monitors use the syntax in the following table to refer to properties in the property bag returned from the script. Details on property bags are provided in Monitoring Scripts.
| Data Source | Syntax | Examples |
| Monitoring Script | $Data/Context/Property[@Name='<PropertyName>']$ | $Data/Context/Property[@Name='Result'>']$ |
