Alert description and parameter replacement

  • Article

 

Many of you know already that alert’s description can contain value of any of the properties of the data type causing the alert to be raised in the first place. What is little cryptic though, is how to write XPath query to receive the value from input data type. As multiple blogs tried to explain and suggest what the right query is (Event Info in description, Performance info in description, search.live.com …), I decided to try and help as well.

There are two types of alert. First type is an alert which is raised by rule, second is alert raised by monitor health state change. In both cases, trigger data type is allowed to replace dynamic string in alert description. What differs is the format.

1. In the case of alert generated by rule use:
$Data/<xpath expression to retrieve value of property>$

2. In the case of alert generated by state change of the unit monitor use:
$Data/Context/<xpath expression to retrieve value of property>$

Now this is still very hard to do because there is no documentation on what the XML format of each data type is. That also means that writing XPath expression could be a rather adventurous and results are not always as expected. (BTW: Check back soon, I will try to help with how to find XML representation of input data type as well. )

Meanwhile, to help with recognition of incorrect XPath expression, Operations Manager 2007 SP1 introduced new events (5400, 5401) to inform the user when runtime was unable to replace property value as XPath expression failed to yield result due to typo, non existence or some other reason. There is also alert raised to allow OpsMgr2007 operator to recognize this problem without inspecting event log.

Sample event:

Event Type: Warning
Event Source: HealthService
Event Category: Health Service
Event ID: 5400
Date: 11/13/2007
Time: 12:58:39 PM
User: N/A
Computer: CUPIDDP13D

Description:
Parameter replacement during creation of the alert failed.

Alert: 1E5AFC2F-71F0-2BCE-AE38-2DCCE51AEB95
Workflow: EventBased.Test.AlertFromEvent
Instance: cupiddp13d
Instance ID: {BEC075CC-4008-5A4F-9D8D-6BC9C1012D36}
Management Group: marius

Failing replacement: $Data/UnreachableEventDisplayNumber$

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.

How to troubleshoot:

1.    Open Windows Power Shell

2.    Get and store monitoring object

in case of sample events from above you run:

$mo = Get-MonitoringObject –Id “BEC075CC-4008-5A4F-9D8D-6BC9C1012D36

3.    Get a rule to recognize what management pack to change

in case of sample events from above you run:

$rule = Get-Rule -MonitoringObject $mo -Criteria "Name = 'EventBased.Test.AlertFromEvent'"

4. Retrieve management pack

in case of sample events from above you run:

$rule.GetManagementPack()

Resolution:

If management pack is sealed, please disable alert generating rule identified by the value of “Workflow” from event description. Then contact Management pack developer and request fix for alert parameter identified by “Failing replacement”.

In the case it is your custom management pack, please correct XPath expression desired for alert parameter, which is again identified by “Failing replacement” inside of event description, increase version number and re-import corrected management pack.

In the case rule was created using authoring part of UI, please edit rule properties and correct XPath expression in description box. Incorrect XPath is again identified by “Failing replacement” from event description.