System Center Operations Manager 2007 R2

This came up on the forums recently and it is a fairly frequent request. So here I run through how to create a composite data source that allows you to create a rule that checks for x events in y minutes with both the event count and the time interval exposed as overrides.

Create a new Empty Management Pack (e.g. called XEventsInYMinutes)

Assign a Display Name of Alert on X Events In Y Minutes

Go to Type Library and create a new composite data source

Give the composite data source a unique identifier e.g. XEventsInYMinutes.ConsolidatedEvents

Enter a Display Name e.g X Events In Y Minutes Consolidated Events

Go to the Configuration Schema tab and under Simple Configuration Schema, click Add

Add IntervalInSeconds and EventCount (note – these are case sensitive in the authoring console!) and then make sure you change the type to Integer as follows

Go to the Overridable Parameters tab and add in the IntervalInSeconds and EventCount parameters and make sure you set each as Integer

On the Member modules tab, Add a Data Source of type Microsoft.Windows.EventProvider and give it a Module ID of Event

Click Configure

Choose windows event log e.g. Application

Choose Expression

You should then see the following

For Computer Name – note this from the help files:

The ComputerName parameter is most commonly passed to the module by using the $Target notation, although it can be specified as any string. This module attempts to connect either to the local computer’s event log or to a remove event log, depending on the configuration passed.

For a workflow that is targeted at Windows Computer, the ComputerName element is specified as shown in the following code:

$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$

If the target is a class hosted by computer hosting, references are added as required. For example:

$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$

The ComputerName parameter is optional, but as a best practice, it should be specified.

I am going to target the rule at Microsoft.Windows.Computer so best practice means I should enter the Computer Name as

$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$

Click OK to get back to

The Add a new Condition Detection module of type System.ConsolidatorCondition  with a Module ID of EventConsolidation

Then click Configure

And then click Configure again and change the Consolidation Settings. Each of these settings are discussed here

The click on the Edit button in the bottom right of the above screen shot to set the event properties that have to identical for events to be considered identical

Then click OK and OK again to get the following.

We want to expose the IntervalInSeconds and EventCount as overridable so change the fields to match the following

$Config/IntervalInSeconds$

$Config/EventCount$

Then click OK to get back to the following

Change the Next Module setting so that the Event module goes to the Event Consolidation Module and the Event Consolidation Module is set to module output as follows

Check data type

Then click OK and go to Health Model, Rules, New Custom Rule

Choose unique identifier e.g. XEventsInYMinutes.Event123

Set the Display Name and Target

On the modules tab, add the XEventsInYMinutes.ConsolidatedEvents module and assign a Module ID e.g. Event123XEventsInYMinutes

Configure the default settings for TimeIntervalInMinutes and EventCount

On the actions tab we need to generate an alert so add the module System.Health.GenerateAlert and provide a module ID e.g. Event123Alert

Then on the Action window, click Edit and then Configure to get the following

 

We can set an alert name, description, priority, severity, alert suppression, and any custom properties that we want to set.