Rule or Monitor to alert on only first event and reset on time

Hi,

Our SCOM version is SCOM 2007 R2. I have tried all of the Windows Event monitors but did not see any of them have what I need to do. We have an application that throws Error events to its own custom event log with different ID's and same source. The events are usually repeated because of the nature of application. 

What I want to do is to generate an alert when an event is created and do not generate any more events for that specific ID for the next 8 hours. For example; if an event is created with ID 1, generate an alert and do not generate any more alerts for the following ID 1 events for the next 8 hours. If an event is created with ID 2, then do the same thing specific to that ID.

I know I can create time reset windows event monitors for each event id, but there are about 50 different event ids, so this does not seem like a solution.

This may be a rule or monitor, doesn't matter. Any suggestions welcome. Thanks.


  • Edited by AndaTech Thursday, February 27, 2014 9:44 AM added SCOM version
February 27th, 2014 12:34pm

Using Alert Suppression policy for your rule can help you with your requirement to an extent. Create a rule to monitor to look for all those event ids' with that specific source. While configuring alerts, use the alert suppression policy to look for the 'EventID' parameter. So you wont get multiple alerts if event id is same, but the repeat count of that alert would increase by one for each occurrence of that particular event id.

For resolving that event ID after 8 hours, you could use a powershell script to look for that alert name and resolve it if it is older than 8 hours.

This is something that came up first when I read your question. I will check if this could be achieved in a better way.

Regards,

Saravanan

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 5:16pm

Hi Saravanan,

I did this as you explained and it works like a charm! I utilized Orchestrator to close alerts if they are 8 hours old. Thank you.

If you come up with anything better, I would be happy to hear and try that.

Thanks again.

March 4th, 2014 7:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics