Start a new topic

Custom Searches in iQ for SCOM Data

Looking for the custom searches for the following situations:


  1. Alerts/Servers belonging to a specific Group in SCOM
  2. Alerts with a specific Name
  3. Alerts with a Custom Field set to a specific value
  4. Alerts with the incident/Ticket field set to a specific value or not empty
  5. Alerts from a specific time frame – from Date Start to Date End
  6. Alerts with a Repeat Count above a specific value
  7. Alerts with a specific word or sentence appearing in the Description of the Event that caused the Alert
  8. All Servers that have a specific Alert (by name) on all of them



1 Comment

Before I begin to give examples of the queries it best to show the  filters. On every tab on the left hand side there is a filter. This will help  you fine tune your results. The filter will allow for open alerts, Time ranges,  only alerts from certain integrations and severity.

In some cases here I will be using a combination of Filters and  search results to create the saved search. In a couple cases I will give an  alternative to what you are after. 

1.  Alerts/Servers belonging to  a specific Group in SCOM

 

This is but isn’t possible. Let me try to explain. You can do a  search on a group. Say my SQLtesting group.

That will show up the group. This is a Live Maps group, so I have a  health state. If yours is just a group in SCOM it will not. 

When you click on it, then you can get more details. (one of the  blue buttons on the bottom). Now you are at the Components page for that group.  This will show you all members, explore the group, see all alerts and all  incidents (if you have an ITSM integration). 

The part that doesn’t work is on an actual saved search. Meaning if  I save the search and scope it only to alerts, the group doesn’t have an alert.  So it will so up with zero. You can save a search to show the components, but  it will only show 1 for the group. 

Another and preferable way to do this would be to group the members  of your group in to a board. Then you can look at this from the boards page and  see the total number of alerts. 


2. Alerts with a  specific name

There are a couple things you can try here. First make sure you are  on the Alerts tab. Before creating your search, check any filters you wish to  have on or off. While it can have a set name, do you want to only show the active  ones (basically not resolved or closed alerts). 

After you have set the filter, this could be very easy. Just type  in the name of the alert. You might want to add quotes around it. 

Something like “Server-App” will need to be in quotes so it doesn’t  treat the dash as something else. If that gives you too many try something like  this. 

source.scom.Name:"DEMO-EXCH2"

OR

source.scom.Name:"OWA health set unhealthy (OwaCtpMonitor) -  Outlook Web Access logon is failing on ClientAccess server DEMO-EXCH2"

For an alert with this name. 

 

3. Alerts with a Custom Field set to a specific value

Here is a simple example. 

source.scom.Custom\ Field\ 10:"Test Field information"

There are “\” in the name because I needed to escape out for the  space in the field name. 

 

4. Alerts with the incident/Ticket field set to a specific value or  not empty

source.scom.Ticket\ ID:A569624

 

5. Alerts from a specific time frame – from Date Start to Date End

created:>=2018-09-10 AND  created:<2018-09-15

or

lastUpdated:>=2018-09-10  AND lastUpdated:<2018-09-15

 

 

6. Alerts with a Repeat Count above a specific value

 

source.scom.Repeat\ Count:>10

 

. Alerts with a  specific word or sentence appearing in the Description of the Event that caused  the Alert

source.scom.Alert\  Description:ExitCode

 

8. All Servers that  have a specific Alert (by name) on all of them

Well we can search for  alerts by name. Looking at the alert properties would show you the Principle  Name, which should be the Server. It is still a search of alerts, just not  showing it as individual servers. 


2 people like this
Login or Signup to post a comment