Showing posts with label alert view by group. Show all posts
Showing posts with label alert view by group. Show all posts

Wednesday, April 6, 2016

OpsMgr (SCOM) - Alerts per group SQL Query (+) Datazen Dashboard

Since i showed up how to get it in a last post, a PFE friend of mine noticed something it migh consern, and to be honest i didn't pointed out because to me was not an issue, but, i understand it might me to some of you.

It doesn't give you a recursive membership alerts.
My older post will only give you object specific alerts on that group, "nothing else"!
So, i started to think on how i could help me (and you!) out with this "issue", and came up with this ideia.

First, i've showed how to do this by powershell.
All alerts for specific group, in a specific time range, and for specific severity - this were my filters.
But, how can i "translate" powershell into SQL ?
SQL-Profiler!
Basically when you run a powershell cmd-let like :
Get-SCOMAlert -Criteria (...)
You're connecting into OperationsManager database and making a query.

So, the query goes as follow:

First, i create a temp table i can put my "groups".

DECLARE @TMP_GROUP_TABLE table(BaseManagedEntityId uniqueidentifier, DisplayName varchar(50));  
 INSERT INTO @TMP_GROUP_TABLE  
 SELECT BaseManagedEntityId, DisplayName FROM basemanagedentity WITH (nolock)  
 WHERE DisplayName = ('Group Name Here')  
 OR DisplayName = ('Other Group')  
 OR DisplayName = ('Other Group')  
 OR DisplayName = ('Other Group')  
 OR DisplayName = ('Other Group')  
 OR DisplayName = ('Other Group')

Then, the magic query - it's already made up to join the temp table and add the group name in the end of it :) (Promise i'll make a post about SQL-Profiler!)

 DECLARE @LanguageCode1 varchar(3)  
 DECLARE @LanguageCode2 varchar(3)  
 DECLARE @ParentManagedEntityId uniqueidentifier  
 DECLARE @ResolutionState0 nvarchar(max)  
 DECLARE @Severity0 nvarchar(max)  
 DECLARE @TimeRaised0 datetime  
 SET @LanguageCode1='ENU' ; SET @LanguageCode2=NULL  
 SET @ResolutionState0=N'0' ; SET @Severity0=N'1'; SET @TimeRaised0='2016-04-04 00:00:00'  
 SELECT DISTINCT [AlertView].[Id],[AlertView].[Name],[AlertView].[Description],[AlertView].[MonitoringObjectId],[AlertView].[ClassId],[AlertView].[MonitoringObjectDisplayName],[AlertView].[MonitoringObjectName],  
                 [AlertView].[MonitoringObjectPath],[AlertView].[MonitoringObjectFullName],[AlertView].[IsMonitorAlert],[AlertView].[ProblemId],[AlertView].[RuleId],[AlertView].[ResolutionState],[AlertView].[Priority],  
                 [AlertView].[Severity],[AlertView].[Category],[AlertView].[Owner],[AlertView].[ResolvedBy],[AlertView].[TimeRaised],[AlertView].[TimeAdded],[AlertView].[LastModified],[AlertView].[LastModifiedBy],  
                 [AlertView].[TimeResolved],[AlertView].[TimeResolutionStateLastModified],[AlertView].[CustomField1],[AlertView].[CustomField2],[AlertView].[CustomField3],[AlertView].[CustomField4],[AlertView].[CustomField5],  
                 [AlertView].[CustomField6],[AlertView].[CustomField7],[AlertView].[CustomField8],[AlertView].[CustomField9],[AlertView].[CustomField10],[AlertView].[TicketId],[AlertView].[Context],[AlertView].[ConnectorId],  
                 [AlertView].[LastModifiedByNonConnector],[AlertView].[MonitoringObjectInMaintenanceMode],[AlertView].[MonitoringObjectHealthState],[AlertView].[ConnectorStatus],[AlertView].[RepeatCount],  
                 [MT_Computer].[NetbiosComputerName],[MT_Computer].[NetbiosDomainName],[MT_Computer].[PrincipalName],[AlertView].[LanguageCode],[AlertView].[AlertParams],[AlertView].[SiteName],  
                 [AlertView].[MaintenanceModeLastModified],[AlertView].[StateLastModified],[AlertView].[TfsWorkItemId],[AlertView].[TfsWorkItemOwner],  
                 [TEMP].DisplayName AS GroupName  
 FROM dbo.fn_AlertView(@LanguageCode1, @LanguageCode2) AS AlertView   
 LEFT OUTER JOIN dbo.MT_Computer ON AlertView.TopLevelHostEntityId = MT_Computer.BaseManagedEntityId  
 INNER JOIN dbo.RecursiveMembership AS RM ON AlertView.MonitoringObjectId = RM.ContainedEntityId   
 INNER JOIN @TMP_GROUP_TABLE AS TEMP ON RM.ContainerEntityId = TEMP.BaseManagedEntityId  
 WHERE (AlertView.[ResolutionState] = @ResolutionState0   
 AND AlertView.[Severity] >= @Severity0   
 AND AlertView.[TimeRaised] > @TimeRaised0)   
 AND (((RM.ContainerEntityId IN ( SELECT BaseManagedEntityId FROM @TMP_GROUP_TABLE ) )))   
 ORDER BY [AlertView].[LastModified] DESC

Since you got your data into place, let's make the Datazen Dashboard for your teams!


This is a 5 minutes dashboard, you can edit the query to set some "alert thresholds" and create a more "KPI" oriented alert view dashboad in Datazen.

Cheers,
1 comment:
Labels: , , , , , , , , , , ,

Monday, April 4, 2016

OpsMgr (SCOM) - Alerts per group SQL Query

A few days ago, i showed up how to get SCOM alerts for a certain group in Powershell.
Now i needed to put it in DataZen and i could, but it's more simple to get data by SQL, so, the query i came up with is this :

 DECLARE @TMP_GROUP_TABLE table(groupname varchar(50));  
 insert into @TMP_GROUP_TABLE   
 values('Group #1'), -- List  
      ('Group #2'), -- Of   
      ('Group #3'), -- Groups   
      ('Group #4'), -- You  
      ('Group #5') -- Want  
 SELECT   
     s.displayName as [Group],   
     CASE WHEN t.Path IS NULL THEN t.DisplayName ELSE t.path END AS [CI],  
     av.AlertName as [Alert Name],  
     av.AlertDescription as [Description],  
     count(av.AlertName) as [AlertCount],  
     ResolutionState, RaisedDateTime,av.Severity  
 FROM vrelationship r   
      inner join vManagedEntity s on s.ManagedEntityRowId = r.SourceManagedEntityRowId   
      inner join vManagedEntity t on t.ManagedEntityRowId = r.TargetManagedEntityRowId   
      inner join Alert.vAlert av on av.ManagedEntityRowId= t.ManagedEntityRowId  
      inner JOIN Alert.vAlertDetail adv on av.AlertGuid =adv.AlertGuid   
      inner JOIN Alert.vAlertResolutionState arsv on av.AlertGuid =arsv.AlertGuid   
      inner JOIN Alert.vAlertParameter apv on av.AlertGuid =apv.AlertGuid   
 WHERE   
      -- I choose 7 days, you can put a value as you like  
      RaisedDateTime >=DATEADD(day,-7,GETDATE())  
      and s.DisplayName IN ( SELECT groupname FROM @TMP_GROUP_TABLE )  
      -- Filter only for CRIT and WARN alarms  
      AND av.Severity >= 1  
 group by s.displayName,t.displayname,av.AlertDescription,ResolutionState,RaisedDateTime,av.Severity,av.AlertName,t.Path  
 order by AlertCount desc

This is good so you can create a nice Datazen dashboard to keep teams up with their alarms (you can put their objects inside respective groups).

Feel free to criticize, no SQL master at all (lol!)
No comments:
Labels: , , , , , , , , , , ,

Thursday, March 31, 2016

OpsMgr (SCOM) - Powershell Event Views Dashboard

I don't like the idea to have lot's of console connecting to my Management Servers, so i give my clients the webconsole link.
But, as you migh know, there's a bunch of limitiations, like "Event Views" don't show up.
So, i had the need to overcome this issue.

Solution was to put Powershell in a SCOM Dashboard.

First, create a new Powershell Grid Layout "Dashboard View" with one cell.
Configure it and paste this code :

 # This example is for a Rule i have for unexpected restart/shutdowns (EventID = 1074)  
 # You can change as you want!  
 $a = Get-SCOMManagementGroup  
 $b = New-Object Microsoft.EnterpriseManagement.Monitoring.MonitoringEventCriteria "RuleId='e7c857e6-7654-5f89-ecdf-8f93325c83ee'"  
 $Events = $a.GetMonitoringEvents($b)  
 $i = 0  
 foreach ($Event in $Events) {  
   $EventDescription = 'User : ' + [string]$Event.Parameters[6] + ' || Type : ' + [string]$Event.Parameters[4] + ' || Reason : ' + [string]$Event.Parameters[5]  
   $TimeAdded = $Event.TimeAdded  
   $LoggingComputer = [string]$Event.LoggingComputer  
   $dataObject = $ScriptContext.CreateInstance("xsd://foo!bar/baz")  
   $dataObject["Id"]=$i.toString()  
   $dataObject["TimeAdded"]=$TimeAdded  
   $dataObject["LoggingComputer"]=$LoggingComputer  
   $dataObject["Description"]=$EventDescription  
   $ScriptContext.ReturnCollection.Add($dataObject)  
   $i++  
 }

:) Enjoy!
No comments:
Labels: , , , , , , , , , , , , ,

Friday, March 4, 2016

OpsMgr (SCOM) - Alert Views without any console ?

Recently i got the need to put "Alert Views" on 4 different Teams TV's.

My first though was ... "WebConsole can't do the job ..."
So i remembered that PS1 could save my day!

Cons:

- SCOM Web Console too slow;
- You need IE;
- ... and silverlight;

Solution :

- Created a PS1 that for every different group i want gets latest 24h alerts (Warn/Crit);
- Foreach group i create an HTML file and put it on my favourite Web-Server;
- Created a Runbook that for a 90 seconds schedule runs the PS1;
      - You can also have a Scheduled Task for the Job;
- HTML has a meta tag that makes HTML refresh every 30 seconds;


 Import-Module OperationsManager  
 New-SCOMManagementGroupConnection -ComputerName "SCOMSERVER_GOES_HERE"  
 $MyGroups = @()  
 Foreach ($item in Get-Content C:\OpsMgr\WebAlertViews\conf\Groups.conf ) {  # Dont Forget to change this!
     $MyGroups += Get-SCOMGroup -DisplayName $item  
 }  
 $newTime = (Get-Date).AddHours(-24)  
 $Criteria = New-Object Microsoft.EnterpriseManagement.Monitoring.MonitoringAlertCriteria("ResolutionState = 0 AND Severity >= 1 AND TimeRaised > `'$newTime`'")  
 $TransversalDepth = [Microsoft.EnterpriseManagement.Common.TraversalDepth]::Recursive  
 Foreach ( $Group in $MyGroups ) {  
     $Head = "<meta http-equiv='refresh' content='30'>"  
     $Head +="<style>"  
     $Head +="BODY{background-color:White;font-family:Verdana,sans-serif; font-size: x-small;}"  
     $Head +="TABLE{font-family: verdana,arial,sans-serif; font-size:12px; color:#333333; border-width: 1px; border-color: #666666; border-collapse: collapse;}"  
     $Head +="TH{border-width: 1px; padding: 8px; border-style: solid; border-color: #666666; background-color: #dedede;}"  
     $Head +="TD{border-width: 1px; padding: 8px; border-style: solid; width:auto;}"  
     $Head +="</style>"  
     $Body = "<br><br>"  
     $Body += "<img src='.\images\nos_logo_detail.png' height='12%' width='12%'>"  
     $Body += "<center><h1 style=color:#999999>.: Relatório SCOM - Alert View | $(($Group).DisplayName) :.</center>"  
     $Body += "<center><table>"  
     $Body += "<tr>"  
     $Body += "<td>Severity</td>"  
     $Body += "<td>Time Raised</td>"  
     $Body += "<td>Path</td>"  
     $Body += "<td>Name</td>"  
     $Body += "<td>DisplayName</td>"  
     $Body += "<td>Description</td>"  
     $Body += "</tr>"  
     $Alerts = $Group.GetMonitoringAlerts( $Criteria, $TransversalDepth )  
     Foreach ($Alert in $Alerts ) {  
         If ($Alert.Severity -eq 2) { $image = 'critical.png' }  # You need this files
         If ($Alert.Severity -eq 1) { $image = 'warning.png' }  
         $Body += "<tr>"  
         $Body += "<center><td><img src='.\images\$Image' height='25px' width='25px'></td></center>"  
         $Body += "<td>$(($alert).TimeRaised)</td>"  
         $Body += "<td>$(($alert).MonitoringObjectPath)</td>"    
         $Body += "<td>$(($alert).Name)</td>"  
         $Body += "<td>$(($alert).MonitoringObjectDisplayName)</td>"  
         $Body += "<td>$(($alert).Description)</td>"  
         $Body += "</tr>"  
     }      
     $Body += "</table></center>"  
     # I got the above replace because of "Unix/Linux Group!"
     $HTMLFileName = (($Group.DisplayName -replace '/','_') -replace ' ','') + '.html'  
     $HTML = ConvertTo-Html -Head $head -Body $Body  
     $HTML > \\MyWebServer\SiteName\AlertViews\AlertView_$HTMLFileName    
 }
No comments:
Labels: , , , , , , , , , , ,

Tuesday, February 16, 2016

[SCOM & Orchestrator] - Alert Forwarding

Let's analyse this scenario:

You want SCOM to forward alerts or open alerts as incidents in a third-party software.

Cons:
SCOM have a limitation when it comes to process alerts;
Only "Notification Pool Members" can manage notifications;
If your channel/subscrition relationship is heavy, you might get a problem - unmanaged alerts.

Pros:
All the Cons! :)

Now, the idea : (Thanks to a PFE friend! MD Thank you!)
What about SCOM just mark the alerts with some kind of tag, and then let Orchestrator listening for that tag, and let Orchestrator do the rest ?
So, for every subscription i've i call a powershell script based channel with this code : 
Param([string]$AlertId,[string]$subscriptionID)
Import-Module OperationsManager
$MySubId = $subscriptionID.toString()
$MyAlertId = $AlertID.toString()
$sub = (Get-SCOMNotificationSubscription -Id $MySubId).DisplayName
Get-SCOMAlert -Id $MyAlertId | Set-SCOMAlert -CustomField5 ":waiting" -CustomField6 $sub

On the other hand i've got a channel (command line) based, configured like this :
Full Path of the command line : C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
Command line parameters : -Command "& '"C:\OpsMgr\Powershell\Notifications\_OpsMgr_Set-SCOMAlert.ps1"'" -alertID '$Data/Context/DataItem/AlertId$' -subscriptionID '$MPElement$'
Startup folder for the command line : C:\Windows\system32\WindowsPowerShell\v1.0\


And i've got this runbook on the other side (Orch):

1) Create alerts on the other side :

2) Close alerts on the other side : (If a SCOM Alert gets closed!)

In my case i send a SNMP Trap to my "central" alarm system with specific identifiers, and when i do it i mark the "-CustomField5" as Forwarded just to make sure and let everyone know that my alarm was processed.

If you have any questions, just let me know! :)

Cheers
No comments:
Labels: , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)