I am trying to generate alert descriptions based on the contents of an SNMP trap. I currently have a rule that generates alerts. I can access the OID bindings via: $Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[10]/Value$ so I can piece together various values. What I want to do is take the variable bindings, pass them to a script where I can massage them and pass them back in a PropertyBag. Originally I generated the rule from the console. The SNMPtrapEvent is the data source, and I have two actions, a script, and an alert. The script creates a PropertyBag, but the alert can't see the data. Set oAPI = CreateObject("MOM.ScriptAPI") Set oBag = oAPI.CreatePropertyBag() strReturn = "Test" oBag.AddValue "ret", strReturn oAPI.Return oBag Using $Data/Property[@Name='ref']$ in the alert description results in nothing. My suspicion is that the actions run independently, and I can't get to the result. Looking at the Authoring Console, it seems that what I REALLY want to do is have the script be the data source, let the resultant PropertyBag be subject to Condition detection, and then have an alert display a description (which is built from or passed in the PopertyBag as well. But how do I call a script as a data source? How do I feed it the OID bindings? Am I completely approaching this from the wrong direction?

Hi This site might help: http://operatingquadrant.com/2009/09/12/scom-advanced-snmp-monitoring-part-ii-designing-the-snmp-monitors/ Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Very helpful - I further found this: http://blogs.msdn.com/b/rslaten/archive/2009/02/25/using-a-property-bag-to-populate-an-alert-description-part-ii.aspx which marched me through the process. I've made progress, but am still stymied. The Console rule wizard created a rule that used the System.SnmpTrapEventProvider module as a data source. Using the Authoring Console, I created a custom data source that starts with the same module (System.SnmpTrapEventProvider) followed by Microsoft.Windows.ScriptPropertyBagProbe Having done that, I created a rule (mimicking the wizard-created rule) that uses my custom data source, and an action of System.Health.GenerateAlert I then specify an IP for my custom datasource of: $Target/Property[Type="MicrosoftSystemCenterNetworkDeviceLibrary6172210!Microsoft.SystemCenter.NetworkDevice"]/IPAddress$ When I try to enable the rule, it fails. the event log shows: Error registering for Snmp Traps Status 0x0. The detail: System - Provider [ Name] Health Service Modules - EventID 11003 [ Qualifiers] 49152 Level 2 Task 0 Keywords 0x80000000000000 Thoughts or pointers? / John

Very helpful - I further found this: http://blogs.msdn.com/b/rslaten/archive/2009/02/25/using-a-property-bag-to-populate-an-alert-description-part-ii.aspx which marched me through the process. I've made progress, but am still stymied. The Console rule wizard created a rule that used the System.SnmpTrapEventProvider module as a data source. Using the Authoring Console, I created a custom data source that starts with the same module (System.SnmpTrapEventProvider) followed by Microsoft.Windows.ScriptPropertyBagProbe Having done that, I created a rule (mimicking the wizard-created rule) that uses my custom data source, and an action of System.Health.GenerateAlert I then specify an IP for my custom datasource of: $Target/Property[Type="MicrosoftSystemCenterNetworkDeviceLibrary6172210!Microsoft.SystemCenter.NetworkDevice"]/IPAddress$ When I try to enable the rule, it fails. the event log shows: Error registering for Snmp Traps Status 0x0. The detail: System - Provider [ Name] Health Service Modules - EventID 11003 [ Qualifiers] 49152 Level 2 Task 0 Keywords 0x80000000000000 Thoughts or pointers? / John

Hi Not sure how large the MP is, but can you copy and paste the code into here so that we can load it all and take a look. Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi, Since there it is not actived several days, I will mark and close it. If there is any update, pleaes reply.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

More detail... The problem was that I wasn't specifying all the parameters for the System.SnmpTrapEventProvider module in my custom source. I got around the problem by mimicking the setting for the wizard-generated rule from the console. Many of the parameters seemed arbitrary - more comments than parameters, and so I had left in the placeholders that the module had offered. It's all the more difficult that the documentation (Management Pack Module Reference) has unhelpful descriptions for the parameters. For instance: EventNumber String Contains the event ID. Based on that, WHAT should I put it? I can't even find a cross-reference to tell me what is MEANT by an event. A windows Event? Not that I could find. The wizard put in 1501 for a value, but I couldn't find any events with that ID in the logs. Or is this an event with meaning only within the context of SCOM? Nonetheless, that value and all the others that I blindly copied cut through the issue and I can now use the data source in my rule. Working now on getting the condition in the rule to evaluate a PropertyBag value.

Two steps forward, one step back. I succeeded in passing in the contents of the trap via parameters. The script manipulates the trap, generates a propertybag, and my rule can generate an alert with the values. All well and good. But it turns out that my traps come in different variants, and some fields not always present. My arguments to the script are: "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.0']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.1']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.2']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.3']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.4']/Value$" ... "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.14']/Value$" What I would have preferred, would have been to dissect the trap in the script. But my experiments with "$Data/EventData/DataItem/SnmpVarBinds/Value$" or "$Data/EventData/DataItem/SnmpVarBinds$" yielded a mashed together string with no apparent delimiters. If there is a way to pass in the entire trap to VBScript and manipulate it, please advise. Barring that, I set out to make a data source for each Trap Variant. (there are only a handful of variants) It turns out that OID .3 is the key, so I fed System.SnmpTrapEventProvider into System.ExpressionFilter with the following: <ConditionDetection ID="FL" TypeID="System!System.ExpressionFilter"> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.3'][1]/Value</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Dsam_DaOffline</Value> </ValueExpression> </SimpleExpression> </Expression> </ConditionDetection> The value "Dsam_DaOffline" is precisely the value. Looking at the Alert Context from a more promiscuous rule, I see: 1.3.6.1.4.1.5722.0.1.2.3 Octets Dsam_DaOffline However, a rule with this data source (and no condition), never fires. I have scoured various blogs and sites, seeing LOTS of frustration on this topic. I've seen several discussion on the syntax (all trial and error) as well as this link that claims to have succeeeded in exactly what I am attempting: http://www.ms-news.net/f2630/snmp-alert-rule-question-8653956.html Obvious errors? Advice? / JOhn

Two steps forward, one step back. I succeeded in passing in the contents of the trap via parameters. The script manipulates the trap, generates a propertybag, and my rule can generate an alert with the values. All well and good. But it turns out that my traps come in different variants, and some fields not always present. My arguments to the script are: "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.0']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.1']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.2']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.3']/Value$" "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.4']/Value$" ... "$Data/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.14']/Value$" What I would have preferred, would have been to dissect the trap in the script. But my experiments with "$Data/EventData/DataItem/SnmpVarBinds/Value$" or "$Data/EventData/DataItem/SnmpVarBinds$" yielded a mashed together string with no apparent delimiters. If there is a way to pass in the entire trap to VBScript and manipulate it, please advise. Barring that, I set out to make a data source for each Trap Variant. (there are only a handful of variants) It turns out that OID .3 is the key, so I fed System.SnmpTrapEventProvider into System.ExpressionFilter with the following: <ConditionDetection ID="FL" TypeID="System!System.ExpressionFilter"> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.3'][1]/Value</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Dsam_DaOffline</Value> </ValueExpression> </SimpleExpression> </Expression> </ConditionDetection> The value "Dsam_DaOffline" is precisely the value. Looking at the Alert Context from a more promiscuous rule, I see: 1.3.6.1.4.1.5722.0.1.2.3 Octets Dsam_DaOffline However, a rule with this data source (and no condition), never fires. I have scoured various blogs and sites, seeing LOTS of frustration on this topic. I've seen several discussion on the syntax (all trial and error) as well as this link that claims to have succeeeded in exactly what I am attempting: http://www.ms-news.net/f2630/snmp-alert-rule-question-8653956.html Obvious errors? Advice? / JOhn

Via trial and much error and web-sleaning, THIS worked.... <ConditionDetection ID="FL" TypeID="System!System.ExpressionFilter"> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">/DataItem/EventData/DataItem/SnmpVarBinds/SnmpVarBind[OID='1.3.6.1.4.1.5722.0.1.2.3'][1]/Value</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Dsam_DaOffline</Value> </ValueExpression> </SimpleExpression> </Expression> </ConditionDetection> "DataItem/EventData/DataItem/" ? *HOW* could I have determined this - is this somehow documented or is there somewhere under the hood I could have looked?