Compartilhar via


Get-SCOMAlert Cmdlet, the Criteria Parameter and the Non-Equal Operator

Wow, that is a cryptic blogtitleWinking smile Did I already lost you people with this blogpost title? I hope not, because this blogpost is about how to use the Get-SCOMAlert Cmdlet using the Criteria parameter the correct way.

Credits for this blogpost go to my colleague Jens Morawietz, because he explained the implications of using the Get-SCOMAlert Cmdlet with the Criteria parameter to me.

Let’s first start at looking at the help for the Get-SCOMAlert Cmdlet.

Get-Help Get-SCOMAlert

image

 

If we look at the Examples for this Cmdlet we don’t find much information about the Criteria Parameter

image

 

So let’s explore the Criteria Parameter.

If we want to retrieve all New Alerts with a severity Critical and the Alert being generated by a Monitor we can use the following Command:

Get-SCOMAlert -Criteria "ResolutionState = 0 AND Severity = 2 AND IsMonitorAlert = 1"

image

 

 

The reason we should use the Criteria parameter instead of filtering using the Where-Object Cmdlet is because of the impact on performance. If we use the Where-Object Cmdlet we first retrieve ALL Alerts before filtering.

Get-SCOMAlert | Where-Object {$_.ResolutionState -eq 0 -and $_.Severity -eq 2 -and $_.IsMonitorAlert -eq 1}

Same result:

image

But if we compare the time it takes to complete both commands we see a difference.

image

Using the Criteria Parameter is much faster and less resource intensive.

Now we are convinced using the Criteria Parameter there is something you need to know when using this parameter and that is that the criteria parameter method will return only the alerts where the field is set to a value not equal to the given value and the PS method will return the alerts where the field is set to a value not equal to the given value OR is NULL, e.g.:

Let’s try to retrieve all New Alerts with a Severity Critical and the Alert being generated by a Monitor AND the Owner not being “Stefan”

image

 

We would think we could use the following statement to retrieve those Alerts:

Get-SCOMAlert -Criteria "ResolutionState = 0 AND Severity = 2 AND IsMonitorAlert = 1 AND (Owner <> 'Stefan')"

 

But when we run these commands we see no Alerts being returned. Sad smile

image

Wen we use the Where-Object Cmdlet we see that there are Alerts where the owner is not “Stefan”

Get-SCOMAlert | Where-Object {$_.ResolutionState -eq 0 -and $_.Severity -eq 2 -and $_.IsMonitorAlert -eq 1 -AND $_.Owner -ne "Stefan"}

 

image

 

So the resolution is to include OR <property> IS NULL in the criteria, which is in the end the WHERE clause of the SELECT statement on the Ops Mgr db, e.g.:

Get-SCOMAlert -Criteria "ResolutionState = 0 AND Severity = 2 AND IsMonitorAlert = 1 AND (Owner <> 'Stefan' OR Owner IS NULL)"

image

 

Btw, the last method is not only less resource consuming but much faster than the second one.

 

Have fun and thanks Jens for explaining.

Comments

  • Anonymous
    July 16, 2014
    Hi,

    Need some assistance if you can help. Using SCOM 2012 R2 to sent Alerts and Events to SPLUNK.

    Splunk only have SCOM 2007 app. so I am trying to fix the powershell script to work with SCOM 2102 R2.


    Below is one of the function from the powershell script to retrieve events from scom. I know "Get-Event" is replaced with "Get-SCOMEvent" but even after replacing that will not work as the "Criteria" switch no longer exists.

    How else can i fix this ?

    function getEvents($evCriteria)
    {
    $evCriteria = $evCriteria + $Global:eventsCriteria
    #og "DEBUG" ("Get-Event -Criteria &quot;{0}"" -f $evCriteria)
    return Get-SCOMEvent -criteria $evCriteria | sort TimeGenerated;
    }
  • Anonymous
    August 13, 2014
    K9, a really quick and easy solution could be to just generate alerts off of your events.. then use the post obove to get the applicable alerts. or you could dig deeper into the get-scomevent.
  • Anonymous
    October 25, 2017
    what's the syntax for matching some or all of the alert "name' field. I can't get it to work.