Looking for the custom searches for the following situations:
Before I begin to give examples of the queries it best to show the filters. On every tab on the left hand side there is a filter. This will help you fine tune your results. The filter will allow for open alerts, Time ranges, only alerts from certain integrations and severity.
In some cases here I will be using a combination of Filters and search results to create the saved search. In a couple cases I will give an alternative to what you are after.
1. Alerts/Servers belonging to a specific Group in SCOM
This is but isn’t possible. Let me try to explain. You can do a search on a group. Say my SQLtesting group.
That will show up the group. This is a Live Maps group, so I have a health state. If yours is just a group in SCOM it will not.
When you click on it, then you can get more details. (one of the blue buttons on the bottom). Now you are at the Components page for that group. This will show you all members, explore the group, see all alerts and all incidents (if you have an ITSM integration).
The part that doesn’t work is on an actual saved search. Meaning if I save the search and scope it only to alerts, the group doesn’t have an alert. So it will so up with zero. You can save a search to show the components, but it will only show 1 for the group.
Another and preferable way to do this would be to group the members of your group in to a board. Then you can look at this from the boards page and see the total number of alerts.
2. Alerts with a specific name.
There are a couple things you can try here. First make sure you are on the Alerts tab. Before creating your search, check any filters you wish to have on or off. While it can have a set name, do you want to only show the active ones (basically not resolved or closed alerts).
After you have set the filter, this could be very easy. Just type in the name of the alert. You might want to add quotes around it.
Something like “Server-App” will need to be in quotes so it doesn’t treat the dash as something else. If that gives you too many try something like this.
source.scom.Name:"OWA health set unhealthy (OwaCtpMonitor) - Outlook Web Access logon is failing on ClientAccess server DEMO-EXCH2"
For an alert with this name.
3. Alerts with a Custom Field set to a specific value
Here is a simple example.
source.scom.Custom\ Field\ 10:"Test Field information"
There are “\” in the name because I needed to escape out for the space in the field name.
4. Alerts with the incident/Ticket field set to a specific value or not empty
5. Alerts from a specific time frame – from Date Start to Date End
created:>=2018-09-10 AND created:<2018-09-15
lastUpdated:>=2018-09-10 AND lastUpdated:<2018-09-15
6. Alerts with a Repeat Count above a specific value
. Alerts with a specific word or sentence appearing in the Description of the Event that caused the Alert
8. All Servers that have a specific Alert (by name) on all of them
Well we can search for alerts by name. Looking at the alert properties would show you the Principle Name, which should be the Server. It is still a search of alerts, just not showing it as individual servers.