Report instances of specific event ID
Our SCOM database is filling up, and I have run a SQL query to determine what the top most eventIDs are. There are a few culprits, with the number one EventID generating 10,712 events over the past week. In this case, the EventID is 9100 and it seems to be a fairly generic event. What I'd like to do is run a report seeing which agents are throwing out these alerts. So, how can I run a report to tell me essentially, "Show me all the computers that are sending out EventID xx over the last xx days."? Thanks in advance.
April 26th, 2012 4:14pm
Hello Matt, In Reporting >> System Center Core Monitoring Reports >> Data Volume by Management Pack >> Data Type (select Events) >> Run the report Then drilldown for the noisy Management Packs in terms of Event Collection, then find more details about the noisy instances and objects.. Hope this helps.. Regards, Mazen Ahmed
April 26th, 2012 4:58pm
Hi Matt, Another helpful report: Reporting >> Microsoft Generic Report Library >> Custome Event >> filter with the Event ID 9100 and select the values you want to know about.. Then export to Excel and do some data sore and filters to get the noisy Computer.. Good luck!!Regards, Mazen Ahmed
April 26th, 2012 5:02pm
Hi, Please also try the reports referring to the following documents and see if they can meet your requirements: Most Common Events Report Knowledge http://technet.microsoft.com/en-us/library/ee338468.aspx How to Create an Event Analysis Report in Operations Manager 2007 http://technet.microsoft.com/en-us/library/bb309574.aspx Hope this helps. Thanks. Nicholas Li TechNet Community Support
May 1st, 2012 1:43am
Thanks everyone. Nicholas, that documentation pointed me in the right direction, and I have a pretty easy way to see all instances across my organization. It seems a little kludgy so perhaps there's a better way, but the following worked for me: Click the Monitoring button. In the right splash screen click "Go to computers"Select any computer, it doesn't matter.Under "Windows Computer Reports" on the right, click "Event Analysis" Select a date range Under Objects, remove whatever is in there and click Add GroupSearch for Windows Computers and select "All Windows Computers".Under source, check the box next to Event ID and enter the ID in question.RUN!
May 1st, 2012 10:04am
Hi Matt There are also a lot of good SQL queries here from Kevin Holman that can help with these sorts of issues: http://blogs.technet.com/b/kevinholman/archive/2009/11/25/tuning-tip-turning-off-some-over-collection-of-events.aspx http://blogs.technet.com/b/kevinholman/archive/2007/10/18/useful-operations-manager-2007-sql-queries.aspx You might also want to reduce the length of time that events are stored in the DW database: http://blogs.technet.com/b/kevinholman/archive/2010/01/05/understanding-and-modifying-data-warehouse-retention-and-grooming.aspx http://blogs.technet.com/b/kevinholman/archive/2010/06/16/management-group-checkup-a-database-perspective.aspx Cheers Graham Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
May 2nd, 2012 4:42am