Parameter replacements (part 4)

  • Article

This post is to continue Parameter replacements series. So far I talked about all but Data replacements so now I will try to describe it little more. This context replacement is unfortunately most hard to use one of all …

Data Context Parameters

Some modules accept configuration parameters that refer to the incoming data item properties. Depending on the module type, some configuration parameters can have data item properties as a context. For example, a filter module allows a creation of a Boolean expression against the data item properties or discovery data mapper module maps the incoming data to a discovery data using the mapping information described while using data item properties referred.

MP author can access this context using Data context parameters.

Syntax

Use the following syntax to the value of the property from input data item:

$Data/<relative xpath to the data item property>$

Where Used

 

Configuration section of selective module types, either in

o Rules, monitors, tasks

o Composite module type implementation

Example

Write action part of alert generating rule:

<WriteActions>

  <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

    <Priority>2</Priority>

    <Severity>2</Severity>

    <AlertName/>

    <AlertDescription/>

    <AlertMessageId>$MPElement[Name="Sample.AlertMessage"]$</AlertMessageId>

    <AlertParameters>

      <AlertParameter1> $Data/Params/Param[4]$ </AlertParameter1>

    </AlertParameters>

    <Suppression>

      <SuppressionValue> $Data/EventDisplayNumber$ </SuppressionValue>

      <SuppressionValue> $Data/LoggingComputer$ </SuppressionValue>

    </Suppression>

  </WriteAction>

</WriteActions>

Note

The syntax for the relative XPath to the data item property depends on the data item type. Each data item type exposes its members through simple XPath queries. For example, some of the properties of an event data item can be retrieved as follows:

$Data/EventDisplayNumber$

$Data/EventDescription$

$Data/Params/Param[1]$

Real problem here is that XML representation of data items that are defined in Management Packs imported into system is not documented and XML schema is not available. Such documentation is missing as it is near impossible to create when (if) custom data types are allowed in the future. This is a reason why the creation of the XPath to retrieve the value of data item property is such a pain …

Also, please check back again, I will try to describe XPath queries for some of the data types defined by Microsoft (will try to go thru most common ones that could be used in recoveries alert generated by monitor etc …)