SCOM Subscription for multiple criteria for the same parameter

spa5603 · May 30, 2018, 11:07am

Hey Community,

I have a problem. I want to create an SCOM subscription that filters my alarms. The problem is I want to check for multiple values of a single attribute.

Problem:
Alarm Severity critical and Custom Field 8 must not contain A or B.

I tried the console -> no success.

update PowerShell criteria -> no success.
Code:
<And xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>Severity</Property>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>CustomField8</Property>
</ValueExpression>
<Operator>NotEqual</Operator>
<ValueExpression>
<Value>A</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<Property>CustomField8</Property>
</ValueExpression>
<Operator>NotEqual</Operator>
<ValueExpression>
<Value>B</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>

The XML OR group is accepted by SCOM when updating, but the subscription does not work.

Regex is not supported: -> no success
The element ‘Expression’ has invalid child element ‘RegExExpression’. List of possible elements expected: ‘SimpleExpression, UnaryExpression, And, Or’.

Last idea was the use of SQL-style Wildcards… -> no success

SCOM works in this case with the ‘like’ operator and in this case i need the ‘notlike’. I have updated the operator to notlike at the subscription and the update was a success but the subscription stopped working…

anyone else good ideas?

jannep · May 30, 2018, 1:23pm

This is the reason why I gave up on SCOM:s notification and built my own. Also the lack of “where criteria not like”
I use powershell and get-scomalert | where- yadayada…

And then push notifications that way.

f1point2 · May 30, 2018, 2:28pm

From Alexey here - https://social.technet.microsoft.com/Forums/ie/en-US/afe3dd6d-dbc1-4ba6-a0b3-33d96649c885/scom-2012-subscription-exclusion?forum=operationsmanagergeneral - it sounds like it should be possible to edit the xml.

In your example, are you just interested in alerts with a resolution status of new or all alerts (severity = critical, custom field 8 <> A and <> B? I’ll give this a spin my lab.

If you take the scripting route suggested by jannep then ideally use get-scomalert -criteria rather than get-scomalert | where …

https://blogs.technet.microsoft.com/stefan_stranger/2012/11/02/get-scomalert-cmdlet-the-criteria-parameter-and-the-non-equal-operator/

http://blog.ctglobalservices.com/operations-manager-scom/jgs/scom2012-using-the-get-scomalert-criteria-parameter-complete-reference/

Cheers

Graham

f1point2 · May 30, 2018, 8:18pm

As an update; the following works for me.

 <Criteria>
                <Expression>
                  <And xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                    <Expression>
                      <SimpleExpression>
                        <ValueExpression>
                          <Property>Severity</Property>
                        </ValueExpression>
                        <Operator>Equal</Operator>
                        <ValueExpression>
                          <Value>2</Value>
                        </ValueExpression>
                      </SimpleExpression>
                    </Expression>
                    <Expression>
                      <SimpleExpression>
                        <ValueExpression>
                          <Property>ResolutionState</Property>
                        </ValueExpression>
                        <Operator>Equal</Operator>
                        <ValueExpression>
                          <Value>10</Value>
                        </ValueExpression>
                      </SimpleExpression>
                    </Expression>
                    <Expression>
                      <SimpleExpression>
                        <ValueExpression>
                          <Property>CustomField8</Property>
                        </ValueExpression>
                        <Operator>NotEqual</Operator>
                        <ValueExpression>
                          <Value>A</Value>
                        </ValueExpression>
                      </SimpleExpression>
                    </Expression>
                    <Expression>
                      <SimpleExpression>
                        <ValueExpression>
                          <Property>CustomField8</Property>
                        </ValueExpression>
                        <Operator>NotEqual</Operator>
                        <ValueExpression>
                          <Value>B</Value>
                        </ValueExpression>
                      </SimpleExpression>
                    </Expression>
                  </And>
                </Expression>
              </Criteria>

If I change the Alert Resolution State of a critical alert to “Test:” which has a value of 10 and Custom Field 8 to either A or B then I do not get a notification.

If I change the Alert Resolution State of a critical alert to “Test:” which has a value of 10 and Custom Field 8 to something other than A or B then I do get a notification.

Is this what you are looking for? You probably want to change the resolution state to zero but other than that I “think” that is what you wanted ??

Cheers

Graham

spa5603 · May 31, 2018, 11:26am

I’ve done it, and it seems to be working. At first I doubted but after a short research about De Morgan’s laws I implemented it and it was a success.

The Morganian laws:
not (a or b) = (not a) and (not b)
not (a or b) -> does not work
(not a) and (not b) -> works

Thank you very much Graham