cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

How to include event ID description in an alert

Jump to solution

How can we include event ID description in an alert. it is possible in 5.2  with windows event log monitor? or need to create a script monitor shows the description as a message ?

Tags (1)
1 Solution
Level 13

There is a macro ${WindowsEventMessages} which is intended for detailed info about events matched by appropriate Windows Event Log Monitor. It contains not only event messages but also other details (like event ID).

If it does not suit your needs and you are interested only in one specific field then it is doable by custom SQL macro, but first of all you need to decide how would you like to handle cardinality problem (alert is bound to monitor, but there may be multiple events from last poll returned). So if you are for example interested in event ID of newest event captured by the monitor, then your macro could look like ${SQL:SELECT TOP 1 EventCode FROM APM_WindowsEvent_Detail WHERE ComponentID = ${ComponentID} ORDER BY TimeGeneratedUtc DESC}

View solution in original post

11 Replies
Level 13

There is a macro ${WindowsEventMessages} which is intended for detailed info about events matched by appropriate Windows Event Log Monitor. It contains not only event messages but also other details (like event ID).

If it does not suit your needs and you are interested only in one specific field then it is doable by custom SQL macro, but first of all you need to decide how would you like to handle cardinality problem (alert is bound to monitor, but there may be multiple events from last poll returned). So if you are for example interested in event ID of newest event captured by the monitor, then your macro could look like ${SQL:SELECT TOP 1 EventCode FROM APM_WindowsEvent_Detail WHERE ComponentID = ${ComponentID} ORDER BY TimeGeneratedUtc DESC}

View solution in original post

Hi All,

This will works. I have tested and its working fine in my environments. Good Job.

0 Kudos

The ${WindowsEventMessages} macro does not seem to be working for me -- I have an alert set up for an Application monitor that is checking for two Event log codes. When the codes occur it changes the monitor to critical. However, the alert simply passes the macro as if it were text (i.e. the body of the alert is "${WindowsEventMessages}" (without quotes.)

0 Kudos
Product Manager
Product Manager

Can you post a screenshot of the Alert Trigger Condition as you have it defined?

0 Kudos

pastedImage_0.png

Thanks!

0 Kudos

what tool did you use to destroy part of your text so creatively?

---
Thwack Home Page | Personal Blog
0 Kudos

Irfanview (free and awesome graphics viewer) > Image > Effects > Explosion  (they also have Pixelise which does a nice job of obfuscation.)

0 Kudos

Clipboard04.jpg

---
Thwack Home Page | Personal Blog

It is important to have selected "APM:Component" as type of property to monitor because ${WindowsEventMessages} macro is available on component level (not on application level). I recommend removing of all conditions after switching selected type and adding them again to be sure they are properly bound.

ComponentAlert.pngWindowsEventMessages.png

Thanks!

0 Kudos

Thanks Petr.

0 Kudos