cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 16

How to get Event ID information as part of the alert message?

Jump to solution

Hi All,

How to get Event ID information as part of the alert message? I did check some inbuilt variables but it doesnt seem to give any output... this is very critical for us to pass in alert as it gets sent to the technical teams...

1 Solution
MVP
MVP

If you're using a component alert, you can use the variable: ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} - this will embed the entire event message (ID, etc) into the alert message.

If you want only the event ID, you'll need a custom SWQL or SQL query to pull the relevant record from the APM_WindowsEvent_Detail table in the database. There is an EventCode column contained the event ID.

You'd probably need to filter by ${N=SwisEntity;M=ComponentAlert.ComponentID} and maybe sort by record number.

shuth_2-1594094658072.png

 

View solution in original post

4 Replies
MVP
MVP

If you're using a component alert, you can use the variable: ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} - this will embed the entire event message (ID, etc) into the alert message.

If you want only the event ID, you'll need a custom SWQL or SQL query to pull the relevant record from the APM_WindowsEvent_Detail table in the database. There is an EventCode column contained the event ID.

You'd probably need to filter by ${N=SwisEntity;M=ComponentAlert.ComponentID} and maybe sort by record number.

shuth_2-1594094658072.png

 

View solution in original post

@shuth, can we pull or attach the Event Log body for any events logged in the Windows node?

Using the ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages} in the email alert body?
0 Kudos
I'm not actually sure from memory what method is used to show the event message. i.e. only last received message or X last received messages but I'm pretty sure the only messages recorded are ones that match the filter.
All the messages found are shown on the Component Details view in the Event Log resource. They are also kept in the database for a bit depending on your retention period. You could theoretically use a SWQL query to pull out the last X messages.

If you want all the events, you'll either need to pay for Log Analyzer or use a free tool like Event Log Forwarder (converts event log messages to syslogs).
https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows
Thank you for the suggestion and the pointer @shuth.
0 Kudos