Share via


Operations Manager Management Pack Authoring - Alerts from Monitors

This document is part of the Operations Manager Management Pack Authoring Guide.  The Microsoft System Center team has validated this procedure as of the original version.  We will continue to review any changes and periodically provide validations on later revisions as they are made.  Please feel free to make any corrections or additions to this procedure that you think would assist other users.

Monitors can be configured to create an alert when they change from a healthy state to a warning state or a critical state. This alerting can be enabled on a monitor but just enabling the option, but other details of the alert should be considered.

Alert Name

The name of the alert is a single line of static text and cannot include any variables.

Priority and Severity

The Alert severity defines the alert as an Information, Warning, or Critical alert. This severity does not have to match the severity of the health state triggering the alert. The severity of the alert is identified by an icon in the Operations console and is used by views and notification subscriptions. The alert priority is inaccessible in the Operations console but is used primarily for notification subscriptions.

Alert Suppression

Alert suppression is not required for monitors because alerts are only created when the monitor changes state. For example, consider a monitor that samples a performance counter on a regular interval. When the threshold is exceeded, the monitor changes to a critical state and creates an alert. The next time that the monitor samples the counter its value still exceeds the threshold. The monitor does not change state because that monitor is already in a critical state. Because the monitor does not change state, no alert is created.

Automatic Alert Resolution

Monitors that create alerts can be configured to automatically resolve the alert when the monitor returns to a healthy state. This means that any unresolved alert for the monitor represents a problem that still exists. There is no configuration this requirement other than confirming the option that automatic resolution be performed.

Alert Description

The alert description may have several lines of text that can include a combination of static text and variables. The most common kind of variable in the alert description will be $Data variables to include different information from the monitor’s data source in the description of the alert. The properties that are available will depend on the kind of data source being used. Each section of Data Sources includes a list of the properties available for different data sources. The following sections provide details and examples of variables in monitor alerts created from the different data sources:

Event Summary Properties

Event monitors that use detection logic other than a simple event will have summary properties available in addition to the events collected by the monitor. These properties provide information such as the details of the time window used for the monitor or the count of the particular events collected. The summary properties available for monitors using different detection logic are shown in the following table:

Detection Logic Summary Property Description
Repeated Events
Missing Events





TimeWindowStarts Time that the time window started
TimeWindowEnds Time that the time window ended
TimeFirst Time of the first event
TimeLast Time of the last event
Count Number of events that are collected in the time window
Correlated Events
Correlated Missing Events
Item0Count Number of the first event that are collected
Item1Count Number of the second event that are collected

Windows Event Monitors

The syntax for Windows event monitors are shown in the following table. For a simple Windows event monitor, just the event properties are available. The list of event properties for each type of event data source are available in the Events section. For other detection logic, the properties of the event are available in addition to the summary properties listed in the previous table.

Detection Logic Syntax Example
Simple Event

$Data/Context/<Event Property Name>$
$Data/Context/EventDescription$
$Data/Context/Params/Param[#]$
$Data/Context/Params/Param[2]$
Repeated Event




$Data/Context/<Summary Property Name>$
$Data/Context/Count$
$Data/Context/Context/DataItem/<Event Property Name>$
$Data/Context/Context/DataItem/EventDescription$
$Data/Context/Context/DataItem/Params/Param[#]$
$Data/Context/Context/DataItem/Params/Param[2]$
Correlated Event




$Data/Context/<Summary Property Name>$
$Data/Context/Item0Count$
$Data/Context/Item#Context/DataItem/<Event Property Name>$
$Data/Context/Item0Context/DataItem/EventDescription $
$Data/Context/Item#Context/DataItem/Params/Param[#]$
$Data/Context/Item1Context/DataItem/Params/Param[2]$
Correlated Missing Event




$Data/Context/<Summary Property Name>$
$Data/Context/Item0Count$
$Data/Context/Item#Context/DataItem/<Event Property Name>$
$Data/Context/Item0Context/DataItem/ EventDescription$
$Data/Context/Item#Context/DataItem/Params/Param[#]$
$Data/Context/Item1Context/DataItem/Params/Param[2]$
Missing Event
$Data/Context/<Summary Property Name>$
$Data/Context/Count$
 $Data/Context/Context/DataItem/<Event Property Name>$  $Data/Context/Context/DataItem/ EventDescription$
 $Data/Context/Context/DataItem/Params/Param[#]$  $Data/Context/Context/DataItem/Params/Param[2]$

Text Log Event Monitors

The syntax for text log event monitor properties are show in the following table. For a simple text log event monitor, just the event properties are available. The list of event properties for each type of event data source are available in the Events section. For repeated event monitors, the properties of the event are available in addition to the summary properties listed in the previous table.

Detection Logic Syntax Example
 Simple Event
 $Data/Context/<Event Property Name>$  $Data/Context/LogFileName$
 $Data/Context/Params/Param[#]$  $Data/Context/Params/Param[2]$
 Repeated Event
 $Data/Context/<Summary Property Name>$  $Data/Context/Count$
 $Data/Context/Context/DataItem/<Event Property Name>$  $Data/Context/Context/DataItem/LogFileName$
 $Data/Context/Context/DataItem/Params/Param[#]$  $Data/Context/Context/DataItem/Params/Param[2]$

WMI Event Monitors

The syntax for WMI event monitors properties are shown in the following table. These are more complex than Windows event monitors because the collection must be specified. Further details on these properties are available in the Events section. For repeated event monitors, the properties of the event are available in addition to the summary properties listed in the previous table.

Detection Logic Syntax Example
Simple Event  $Data/Context/Collection[@Name='<TargetInstance|PreviousInstance>']/Property[@Name='<PropertyName>']$  $Data/Context/Collection[@Name='TargetInstance']/Property[@Name='Name']$
Repeated Event  $Data/Context/<Summary Property Name>$  $Data/Context/Count$
 $Data/Context/Context/DataItem/Collection[@Name='<TargetInstance|PreviousInstance>']/Property[@Name='<PropertyName>']$  $Data/Context/Context/DataItem/Collection[@Name='TargetInstance']/Property[@Name='Name']$

Performance Monitors

Performance monitors use the same syntax for both data sources as shown in the following table. The properties available are listed in Performance Data.

Data Source Syntax Examples
 Windows Performance  $Data/Context/<PropertyName>]$  $Data/Context/Value$
 WMI Performance  $Data/Context/<PropertyName>]$  $Data/Context/Value$

Script Monitors

Script monitors use the syntax in the following table to refer to properties in the property bag returned from the script. Details on property bags are provided in Monitoring Scripts.

Data Source Syntax Examples
Monitoring Script  $Data/Context/Property[@Name='<PropertyName>']$  $Data/Context/Property[@Name='Result'>']$