Data Item XML - creation time

  • Article

Today I received what I later considered an interesting request for help. Customer wanted to use the time of event causing alert to be used inside of this alert description. He realized that it would be the time of the first event triggering such alert (assuming suppression used). He was just not able to come up with XPath query for $Data/…$ context parameter replacement.

Before I show my answer, let’s review this scenario a little bit. Each NT event includes the time of its creation. It was safe to assume that when OpsMgr 2007 uses this time when it reads the event and creates its representation as a data type. And I can confirm that when OpsMgr 2007 event data type is created, it uses time when NT event was raised.

There are two possible workflows creating alert that we should consider. First of them, is the rule generating an alert when some event is raised. Second possible workflow is off course an alert created by monitor state change which was triggered when event had risen. It is important to recognize the workflow we deal with because replacement query is different for each of them.

Following is sample representation of the event data type:

<DataItem type="System.Event.Data" time="2000-01-15T19:57:33.1673432-08:00">

  <EventOriginId>{3dbd7293-7e9d-437d-9ddf-e0800c3c61d6}</EventOriginId>

  <PublisherId>{88227293-7e9d-4444-9ddf-e0800c3c6999}</PublisherId>

  <PublisherName>SamplePublisher</PublisherName>

  <Channel>Application</Channel>

  <LoggingComputer>SampleComputer</LoggingComputer>

  <EventNumber>2000</EventNumber>

  <EventCategory>2</EventCategory>

  <EventLevel>3</EventLevel>

  <UserName>domain\user</UserName>

  <RawDescription>Device error occured %1 times while copying data to %2</RawDescription>

  <LCID>0</LCID>

  <Params>

    <Param>1</Param>

    <Param>DVD</Param>

  </Params>

  <EventDatan/>

  <EventDisplayNumber>2000</EventDisplayNumber>

  <EventDescription>Device error occured 1 times while copying data to DVD</EventDescription>

  <ManagedEntityId>{11117293-7e9d-437d-9ddf-e0800c3c6111}</ManagedEntityId>

  <RuleId>{22227293-7e9d-4444-9ddf-e0800c3c6111}</RuleId>

</DataItem>

Query to use when alert is generated by rule after NT event was raised is $Data/@time$ . The reason for that query is the fact that input data type for alert generating module is event data type directly, root node is selected and value of the attribute time is required.

Query to use when alert is generated by monitor state change after NT event was raised is $Data/Context/DataItem/@time$ . In this case, this format needs to be used because triggering event data type is stored inside of the Context of the monitor state change before it serves as an input for alert generating module.

Conclusion:

These queries can really be used with all data types implemented with OpsMgr 2007, just remember that not all data types will use original data creation time as a creation time for OpsMgr implementation.