VMware Events Alerts with Regards to Virtual Machine

Hi,

I have a peculiar case where I need to trigger alerts from VMware events (VMAN) and use custom VM properties in the alert.

Below is what I'm trying to accomplish:

- Create a rule for VMware events where trigger is message contains "HA restarted".

- Create an alert from the rule.

- The alert should send an email to the virtual machine's owner (Custom property).

We have a custom property for virtual machines named "Owner Email".

However, the auto generated alert from Log Analyzer alerts on Nodes, not virtual machines.

When I try to change it to "Virtual Machine" instead, the trigger condition is reset.

I have tried using using SQL queries as variables but unfortunately it does not accept the query as an email recipient.

Any advice is appreciated

Thank you

Parents
  • I havnt tested this yet, but I have done some work in this space

    I think the LA alerts want to alert on a node, because being a node/being "monitored" is the criteria for events to not be dropped, at least usually. VMware events are properties of the parent vcenter as well, so if Nodes is forced i'm not shocked as such

    Nodes and VMs are parallel, and you can call VM customproperties from a node and node customproperties from a VM

    I think the alert will trigger against the parent vsphere, and that's not parallel anymore really. I think what you want is a custom SWQL macro that JOINs to the VM table based on some identifying thingy in the event.

    There is a section in the DB for an assumed link, I cant remember what it is at the moment but I didnt find it a reliable thing last I tried, and I'm foggy enough on it that I might be mixing it up. Custom macro should do it.

  • Hi Adam,

    Thank you for the reply.

    Can you tell me where to find the section in the DB that you mentioned?

    I'm kinda new SolarWinds.

  • Ah, you've stumbled across a reasonably hard one. Could you put some Sanitized events in the chain of the sort you'd like to link to their owner?

    Could you confirm that the custom properties are definitely against virtual machines not nodes?

  • So the event that I am capturing is as follows:

    vSphere HA restarted virtual machine <vm_name> on host <vshpere_host> in cluster <cluster_name>

    I'm using the below query to get the <vm_name> from the event message:

    ${SQL: SELECT SUBSTRING(replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0, charindex(' on ',replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0))}

    Then I would like to join the VIM_VirtualMachines table with the VIM_VirtualMachinesCustomProperties table to get the owner emails using the <vm_name>.

    To answer your question, yes the custom properties are against virtual machines.

  • I dont think you count as new anymore if you've already got that together!

    Something like the below, I've switched to SWQL over SQL as that tends to be better long term

    Because we're using names not UIDs I've added a separate match for the hostname in case there's multiple vms with the same name

    ${N=SWQL;M=SELECT top 1 v.CustomProperties.OwnerEmail as macro from orion.vim.virtualmachines v where v.DisplayName like SUBSTRING(replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0, charindex(' on ',replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0)) and v.Host.DisplayName like Substring('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}', Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')+9, Charindex(' in cluster','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-9) UNION ALL (Select top 1 ' ' as stopsNullErrors from orion.vim.virtualmachines v)}


    If that doesn't work right out the box give it a working for a bit, I've had to find/replace out some stuff from my end.

    I've stuck that on one line because if you want to email the owner, you cant place linebreaks in a subject line and it can mess with the macro

    More readable: 

    SELECT top 1 v.CustomProperties.TestThree as macro 
    from orion.vim.virtualmachines v
    where v.DisplayName like SUBSTRING(replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0, charindex(' on ',replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0))
    and v.Host.DisplayName like Substring('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}', Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')+9, 
    Charindex(' in cluster','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-9)
    UNION ALL (Select top 1 ' ' as stopsNullErrors from orion.vim.virtualmachines v)
    

Reply
  • I dont think you count as new anymore if you've already got that together!

    Something like the below, I've switched to SWQL over SQL as that tends to be better long term

    Because we're using names not UIDs I've added a separate match for the hostname in case there's multiple vms with the same name

    ${N=SWQL;M=SELECT top 1 v.CustomProperties.OwnerEmail as macro from orion.vim.virtualmachines v where v.DisplayName like SUBSTRING(replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0, charindex(' on ',replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0)) and v.Host.DisplayName like Substring('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}', Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')+9, Charindex(' in cluster','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-9) UNION ALL (Select top 1 ' ' as stopsNullErrors from orion.vim.virtualmachines v)}


    If that doesn't work right out the box give it a working for a bit, I've had to find/replace out some stuff from my end.

    I've stuck that on one line because if you want to email the owner, you cant place linebreaks in a subject line and it can mess with the macro

    More readable: 

    SELECT top 1 v.CustomProperties.TestThree as macro 
    from orion.vim.virtualmachines v
    where v.DisplayName like SUBSTRING(replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0, charindex(' on ',replace('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}','vSphere HA restarted virtual machine ',''),0))
    and v.Host.DisplayName like Substring('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}', Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')+9, 
    Charindex(' in cluster','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-Charindex(' on host ','${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}')-9)
    UNION ALL (Select top 1 ' ' as stopsNullErrors from orion.vim.virtualmachines v)
    

Children