In a blog I posted last year called “What’s the difference between a rule and a monitor…the simple version“, I ended my post alluding to a follow up to show some options to identify whether an alert is being generated by a rule or a monitor. I have recently been reminded that I never followed through on my next post, so here it is! This is nothing new and has been blogged about in the past, but I still find quite a few engineers that are not aware of this capability so hopefully this will help some folks out.
I won’t get too deep into why it’s important to distinguish between a rule and a monitor when closing SCOM alerts as I’ve explained it in detail in the link above. In short, if you close an alert generated by a monitor while the health state of the object is still in a warning or critical state, the alert is broken and will not trigger again until the health state of the object is either reset manually or due to the condition being resolved. You don’t want to manually close monitor based alerts.
In this post, I’m going to demonstrate a very simple workaround for this issue. In the default Active Alerts view, there is no visual way to distinguish between an alert generated by a rule or monitor unless you click on each individual alert and check the Alert Details or Alert Actions. One way to get around this is to configure a simple Alert dashboard and add the IsMonitorAlert property which adds a monitor icon to the left of all alerts generated by a monitor.
- In the Monitoring workspace, right click Monitoring and create a new Dashboard view.
- Select the Grid template.
- Enter a name for your view. This is the name that will appear in the Monitoring workspace.
- Select “1 Cell” and Create to finish the template. At this point we have created our monitoring view template, but we still need to create the actual Alert widget.
- Select “Click to add widget..”
- Select Alert Widget
- Enter a name and description for the widget. This name will display once you open the widget.
- On the “Specify the Scope” page leave the default “All”. You can be more granular here if you only want to show alerts for specific objects.
- On the “Specify the Criteria” page select Critical, Warning, and New to display all unresolved critical and warning alerts.
- On the “Specify Display Preferences” page choose your preferences. The one property that you must choose is the IsMonitorAlert property as this will display the monitor icon next to all alerts generated by monitors. Once you select this icon, use the up arrow to move this property to the top of the list to ensure that it is displayed on the far left of your alert view. I’ve also added Severity to the “Group By” section to sort alerts by Severity and removed some default fields to make the view more readable.
- And that’s it! We now have an alert view which we can use to easily see which alerts are generated by a monitor and should not be closed manually, and which alerts were generated by rules.