Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Windows Event ID varilable in an alert?

Howdy.

I'm aware that you can poll Windows servers for an instance of a specific Event ID from the Windows Event Log. Normally you then use that component monitor's status in the resulting alert. Does anyone know how to use the specific Event ID that was detected in an alert? I know I'm probably looking at custom SQL somewhere but I can't find the specifics from perusing the database.

You may be asking "why do this? You already know the event ID since it's part of the Component definition?!?" I need to do this to draft the logic on the reset action. Here's the scenario:

We have Citrix servers that all get their licensing information from a central licensing server. If the licensing server goes down or if an individual Citrix box cannot contact the licensing server for whatever reason, a series of events are written in the Event log. We can detect that with no issues.

There's a subsequent message written to the Event Log after things are fixed. Different ID number. Ultimately I want to look for the presence of the second ID as the reset condition for the initial condition. If I need to include that ID in the Component monitor so that it's part of the dataset that is available that's fine but I then need to filter the alert to not trigger if the detected ID is X but still trigger if it's Y. And that variable still needs to be available to craft the reset condition.

Any ideas on how to access the detected Event ID in the Alerting system?

Find more posts tagged with

Accepted answers

All comments

Petr.Vilem

Problem is that in each poll zero to many events can be matched. Custom SQL macro that would give you Code (Event ID) of most recent event detected by given component could look like this: ${SQL: SELECT TOP 1 EventCode FROM [APM_WindowsEvent_Detail] WHERE ComponentID = ${N=SwisEntity;M=ComponentID} ORDER BY TimeGeneratedUtc DESC}

esojka

Thanks for the response.

I can't seem to find the correct item under the "Set up your SQL condition" dropdown that will validate that SQL. Whatever choice is made inserts the beginning of a SQL statement pertaining to that object type. That text field can't be edited, and the SQL pasted from your comment doesn't validate. Any ideas?

aLTeReGo

Correct me if I'm wrong. What I believe you are trying to accomplish is alert me when EventID "X" is found and remain in a state of alert until EventID "Y" is found. Unfortunately this is not currently possible today, though you can vote for this idea here ->

Petr.Vilem

Oh, I did not get that you mean trigger condition. Macro that I provided would work in Trigger/Reset actions but there is no support of macros in conditions. However, custom SQL should be still powerful enough to do what you requested.

I haven't fully tested it, but I think that custom part of SQL condition similar to this could do the trick:

JOIN (SELECT *, RANK() OVER (PARTITION BY ComponentID ORDER BY TimeGeneratedUtc DESC, RecordNumber DESC) as internalRank FROM APM_WindowsEvent_Detail WITH (NOLOCK)) latest ON latest.internalRank = 1 AND APM_AlertsAndReportsData.ComponentID = latest.ComponentIDWHERE APM_AlertsAndReportsData.ComponentType = 42 AND latest.EventCode = 15301

...just replace 15301 with your particular EventID.

Note that depending on size of your environment this query can be expensive to execute and keep in mind that alerting engine needs to execute it periodically when alert is enabled, so please measure execution time of full query in your environment and schedule alert evaluation accordingly.