If you have read my “SCOM + OMS + Azure Automation” post here, you will recognize the example referenced below. The OMS Custom Field feature gives us the ability to create custom extracted fields in OMS to isolate and extract specific values from a line of log output. This feature is very powerful, and not only allows us to create custom fields for reporting and analytics, but it provides us with an easy option to isolate one particular value in a line of output and extract that exact field for all subsequent log entries for use in automation.
For the purposes of this demo, I will be referencing custom alerts that were created using Eventcreate and a custom SCOM event collection rule which is being forwarded to OMS via the Alert Management solution.
Let’s get started…..
First, let’s log into the OMS console and verify that our alert is being forwarded to OMS.
- Log into the OMS workspace.
- Navigate to the Log Search blade.
- Enter the following query: Type=Alert “<Alert Name>”. Alert Name will be the display name of the SCOM rule created to alert when an instance of event 100 is present in the Application log. In this example, the alert name is “SET OMS Event Alert”.
Now that we have verified that logs are being written to OMS, we can configure the custom extracted field.
- Expand “show more” to expose all of the available log fields. In this case, we are interested in the AlertDescription field as it contains the “Free Space Remaining” value we will be extracting for our custom field.
- To the left of the AlertDescription field, select the context menu and “Extract fields from Alert”. This will bring us to the custom field configuration page.
- At this point, it’s time to highlight the exact item we want to be extracted from every log entry. For example, in my preconfigured field, I highlighted only the numerical value in the alert description field. This will prompt us for the custom field name. Fill in the field name and select Extract.
- After selecting Extract, the Search Results section will populate. We can now see the extracted value from every line of output that matches our configuration. The extracted value is highlighted in blue, with the AlertDescription field displayed below each extracted field instance. Ensure that the extracted value is the exact expected value. If it is not, remove the highlighted field and reconfigure. If the extracted field is correct, select “Save Extraction”..
- Notice that our newest “SET OMS Event Alert” log entry has a new field named PercentFree_CF! Every instance of this alert moving forward should contain this new custom field.
NOTE: If you do not see your custom field after configuration, this may be due to there being no new log entries. Only log entries which occur after custom field configuration will display the custom field.
That’s it! The custom field feature can be used for any log entry that OMS collects (custom logs, alerts, security and audit, performance data, etc.), which makes it a very flexible and powerful feature. Happy OMSing!