Adding custom information to alert description (s) and notifications


Alert Description Variables:

The following section contains variables for the Alert Description only.

For event Rules (Alert Description):

EventDisplayNumber (Event ID):             $Data/EventDisplayNumber$
EventDescription (Description):               $Data/EventDescription$
Publisher Name (Event Source):              $Data/PublisherName$
EventCategory:                                    $Data/EventCategory$
LoggingComputer:                                $Data/LoggingComputer$
EventLevel:                                          $Data/EventLevel$
Channel:                                              $Data/Channel$
UserName:                                           $Data/UserName$
EventNumber:                                      $Data/EventNumber$
Event Time:                                          $Data/@time$

For event Monitors (Alert Description):

EventDisplayNumber (Event ID):            $Data/Context/EventDisplayNumber$
EventDescription (Description):              $Data/Context/EventDescription$
Publisher Name (Event Source):             $Data/Context/PublisherName$
EventCategory:                                    $Data/Context/EventCategory$
LoggingComputer:                                $Data/Context/LoggingComputer$
EventLevel:                                         $Data/Context/EventLevel$
Channel:                                             $Data/Context/Channel$
UserName:                                          $Data/Context/UserName$
EventNumber:                                     $Data/Context/EventNumber$
Event Time:                                         $Data/Context/@time$

For Repeating Event Monitors (Alert Description):

EventDisplayNumber (Event ID):              $Data/Context/Context/DataItem/EventDisplayNumber$
EventDescription (Description):                $Data/Context/Context/DataItem/EventDescription$
Publisher Name (Event Source):              $Data/Context/Context/DataItem/PublisherName$
EventCategory:                                      $Data/Context/Context/DataItem/EventCategory$
LoggingComputer:                                  $Data/Context/Context/DataItem/LoggingComputer$
EventLevel:                                            $Data/Context/Context/DataItem/EventLevel$
Channel:                                                $Data/Context/Context/DataItem/Channel$
UserName:                                             $Data/Context/Context/DataItem/UserName$
EventNumber:                                         $Data/Context/Context/DataItem/EventNumber$ 

Performance Threshold Monitors (Alert Description):

Object (Perf Object Name):                    $Data/Context/ObjectName$
Counter (Perf Counter Name):                $Data/Context/CounterName$
Instance (Perf Instance Name):              $Data/Context/InstanceName$
*Value (Perf Counter Value):                  $Data/Context/Value$ 
**Last Sampled Value                            $Data/Context/SampleValue$

*Value will show the actual performance value for simple and avg monitors.  It will show number of samples for consecutive threshold monitors.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.

Service Monitors (Alert Description):

Service Name                         $Data/Context/Property[@Name=’Name’]$
Service Dependencies             $Data/Context/Property[@Name=’Dependencies’]$
Service Binary Path                $Data/Context/Property[@Name=’BinaryPathName’]$
Service Display Name             $Data/Context/Property[@Name=’DisplayName’]$
Service Description                 $Data/Context/Property[@Name=’Description’]$

Logfile Monitors (Alert Description):

Logfile Directory :                  $Data/Context/LogFileDirectory$
Logfile name:                        $Data/Context/LogFileName$
String:                                  $Data/Context/Params/Param[1]$

Logfile rules (Alert Description):

Logfile Directory:                   $Data/EventData/DataItem/LogFileDirectory$
Logfile name:                        $Data/EventData/DataItem/LogFileName$
String:                                  $Data/EventData/DataItem/Params/Param[1]$

General (Alert Description ONLY.  Do NOT use $Target properties for notifications, except the explicitly allowed ones listed below in the notifications section):

To show the name of the Windows Computer host:



Notification Variables:

These are for notifications only.


$Data/Context/DataItem/AlertId$                                       The AlertID GUID
$Data/Context/DataItem/AlertName$                                   The Alert Name
$Data/Context/DataItem/AlertDescription$                              The Alert Description
$Data/Context/DataItem/Category$                                    The Alert category
$Data/Context/DataItem/CreatedByMonitor$                       True/False
$Data/Context/DataItem/Custom1$                                     CustomField1
$Data/Context/DataItem/Custom2$                                    CustomField2
$Data/Context/DataItem/Custom3$                                    CustomField3
$Data/Context/DataItem/Custom4$                                    CustomField4
$Data/Context/DataItem/Custom5$                                    CustomField5
$Data/Context/DataItem/Custom6$                                     CustomField6
$Data/Context/DataItem/Custom7$                                     CustomField7
$Data/Context/DataItem/Custom8$                                     CustomField8
$Data/Context/DataItem/Custom9$                                     CustomField9
$Data/Context/DataItem/Custom10$                                  CustomField10
$Data/Context/DataItem/DataItemCreateTime$                      UTC Date/Time of Dataitem created
$Data/Context/DataItem/DataItemCreateTimeLocal$               LocalTime Date/Time of Dataitem created
$Data/Context/DataItem/LastModified$                                 UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$                          Local Date/Time DataItem was modified
$Data/Context/DataItem/ManagedEntity$                               ManagedEntity GUID
$Data/Context/DataItem/ManagedEntityDisplayName$             ManagedEntity Display name
$Data/Context/DataItem/ManagedEntityFullName$                   ManagedEntity Full name
$Data/Context/DataItem/ManagedEntityPath$                          Managed Entity Path
$Data/Context/DataItem/Priority$                                          The Alert Priority Number (High=1,Medium=2,Low=3)
$Data/Context/DataItem/Owner$                                           The Alert Owner
$Data/Context/DataItem/RepeatCount$                                  The Alert Repeat Count
$Data/Context/DataItem/ResolutionState$                               Resolution state ID (0=New, 255= Closed)
$Data/Context/DataItem/ResolutionStateLastModified$                 UTC Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateLastModifiedLocal$          Local Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateName$                       The Resolution State Name (New, Closed)
$Data/Context/DataItem/ResolvedBy$                                     Person resolving the alert
$Data/Context/DataItem/Severity$                                          The Alert Severity ID
$Data/Context/DataItem/TicketId$                                           The TicketID
$Data/Context/DataItem/TimeAdded$                                       UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$                               Local Time Added
$Data/Context/DataItem/TimeRaised$                                      UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$                              Local Time Raised
$Data/Context/DataItem/TimeResolved$                                  UTC Date/Time the Alert was resolved
$Data/Context/DataItem/WorkflowId$                                      The Workflow ID (GUID)
$Data/Recipients/To/Address/Address$                                    The name of the recipient

The Web Console URL:

The principalname of the management server:


Also see related post:

Comments (58)

  1. Anonymous says:

    Main Downloads page (catalog, documentation)

  2. Anonymous says:

    There are several examples in blogs on how to create a generic text log rule to monitor for a local text

  3. Anonymous says:

    Many times, we would like to collect information for reporting, or measure and alert on something. 

  4. Anonymous says:

    Here are a couple a tidbits on command notification with Operations Manager 2007 I’ve seen people

  5. Anonymous says:

    When you create an Alert Description in OpsMgr 2007 for alerting rules and monitors…. you might have

  6. Kevin Holman says:

    Not that I am aware of – but I am working on just that issue.  We really need this – and if there is a way to xpath this – it would really help.

    I am trying to find out if this is possible from the product group right now – but I dont think it is.  Sure would be nice.

    I am develping a spreadsheet to cross reference the alert view in the console/alert view in DB/alert notification variables/SDK Get-Alert/R2 connector key pairs.

  7. Kevin Holman says:

    Tom – the reason this doesnt work – is because there IS NO "EventDescription" for a server monitor.

    Event Description is for Events, in the Event log.  The Service unit monitor is its own module, and it has no relation to the event log module.  You need to uses variabled applicable to the Service Unit Monitor…. which are posted above.

  8. Kevin Holman says:

    @Email Admin –

    This is doable – when you create the alert notification subscription – use the variables above and input them in the propert format that you want, into the email channel – and then use that custom channel for a subscription to that specific alert (computer unreachable)

  9. Kevin Holman says:

    Eric – these should be working fine when used in a notification, for an NT event log rule or monitor.

    SCOM 2007R2 or SCOM 2012?

  10. Kevin Holman says:

    You can add anything that is a property of your data source…. like event, perf, etc… that our data source mudule understands.

    The IP address is an ATTRIBUTE of the Windows Computer object… and is not tied to the alert, or the data source.

    So – I dont know a way to add the IP address of the object to all alerts…. and this wont always even make sense – for alerts that come from "SQL Database" for instance.  

    The only thing I can think of is writing a custom product connector – which would modify alerts via the SDK after they are created on a polling cycle…. this connector would examin the alert – query up the containment/hosting relationships to find the windows computer object – gather the IP attribute – and populate a custom field with the IP, on the alert.

    1. Praveen says:


      Is there a way we can have affected server ip address as well along with hostname. We are getting server hostname but want to add the affected server IP address as well.

      Please suggest.

      1. Kevin Holman says:

        I already answered that – directly above your question.

  11. chaselton says:

    The event Monitor variables don’t work.

    I’m trying to put information in the subject of the notification subscription based on a monitor.  I’m using

    $Data/Context/UserName$ is logging in to $Data/Context/LoggingComputer$

    as the subject.  When the email goes out, I get

    " is logging in to "

  12. Kevin Holman says:

    Aggregate rollup monitors roll up state only.  They have no idea or information about the values or details on the monitors below them.  They have a state-rollup algorithm (best of, worst of) and then they simply change state according to that policy.

    In this way – by design if you alert from an aggregate monitor – you cannot get deep level details about the root cause monitor – it could be one – or many that are problematic at any given time.

    For the details – you must alert on the unit monitor.

  13. Anonymous says:

    How to get the source server name in alert description for the alerts that we are receiving for services going down. The string i am using here is as

    $Data/Context/Property[@Name=’Name’]$ has stopped running.

    This gives me only the service name. How to get the affected server anme in this.

    any help will appreciated.

  14. Kevin Holman says:

    Q:  In email notification, is there any way to display the severity by ‘name’ instead of ‘id’ so I don’t get an integer?

    A:  Not that I know of.

  15. Emeric says:

    Do you think,I can used a another performance threshold monitor in alerte description ?

  16. Brian Soh says:

    For Correlated event Monitor;

    Below is the variable for event Description

    $Data/Context/DataItem/Item0Context/DataItem/EventDescription$ $Data/Context/DataItem/Item1Context/DataItem/EventDescription$

  17. Habeeb says:

    What do you do when you have monitors created from Web application template, like in case an Base page status code monitor should be able to send out mail indicating from which web site that Alert is raised and also the exact base page status code which generated the error

  18. David Strebel says:

    Is there a way to add company knowledge to notifications.

  19. Ray Avila says:

    great resource. you saved my day.

  20. Tom Speijer says:

    Kevin nice one, but when i try the alerting in a monitor which monitors a basic service. and for example i use $Data/Context/EventDescription$ my alert will result in {0}..

    shouldn’t that be anything more helpfull?

    and can you use multiple lines? because when i try it, the alert just won’t come..?

  21. Tom Speijer says:


    i’ve already tried about anything shown above

    now i’ve tried this one :

    $Data/Context/Property[@Name=’Name’]$ it still gives me {0}

  22. Tom Speijer says:

    it’s fixed..

    when i changed something in the alert description, i immediatly looked in the alert what was showing op in the active alerts. it always said {0}.

    i never waited for a new alert to popup.

    apparantly when a new one shows, the event description is populated perfectly.

    thx for you assistance!

  23. rajeev says:

    can I get the ip address of the host?

  24. Gurpreet says:

    If I have a configuration parameter in the monitor like a threshold number, how do i access this value in the alert?

    For e.g. I have a monitor that generates an alerts if 5 samples have value of call duration of more than 100ms. Both the number of samples and duration threshold need to be displayed in the alert. These are not properties of any of the classes.

  25. PaulD says:

    Hi Kevin.

    using get-alert cmdlet we have field named "NetbiosComputerName". Is there any Xpath equivalent for this field?

  26. Mark Benoit says:

    Are there any Alert Description variables available for Aggregate rollup monitors?  At best, I would like to be able to have the Aggregate monitor alert description show the actual value that triggerd the unhealthy state of the child monitors (in this case, CPU% utilization) like $Data/Context/Property[@Name=’PctUsage’], but that does not work.  If that is not available to the parent monitor, then it would be nice to be able to include a Alert Description variable for the Alert Severity of the child monitor that went unhealthy (Warning or Critical).

  27. ashutosh says:

    even when i have created a unit monitor for % CPU utilization. When i use the same string in Alert description i don’t get the value for CPU utilization.

  28. JOBBO says:

    I need to send SMS messages with short HostName and IPv4 Address (not DNS or Source or Path name)

    Can you guide me how to send notification with NetBIOS name in subject feild.

    I have use $Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetbiosComputerName$   but it could not be save setting.

  29. JB says:

    Any update on a simple way to capture the hostname for ANY alert type?  This inability effectively shuts down our process of send SCOM alerts to Tivoli TEC.  (Not using the TEC connector)  We need to have the severity,hostname, description, alert name of every eventalert that comes in.  Sometimes the parameters we use grab the hostname, others it does not.  

    Is Microsoft attempting to fix this?

  30. Pua says:

    Is there an xpath expression for a monitor’s threshold value?  I wish to include this in my alerts so our alert recipients can see both the value that exceeded the threshold, and the threshold itself.  Thanks.

  31. JD says:

    In email notification, is there any way to display the severity by ‘name’ instead of ‘id’ so I don’t get an integer? For example, I want the notification to read Severity: Warning instead of Severity: 1 which is what happens when $Data/Context/DataItem/Severity$ variable is used.

  32. Jeff C. says:

    In OpsMgr, for notification, we use a command line channel to send pages. We have it configured as such (for example).


    That way, if Custom1 is blank we can page out on Param[1] value. This works great in paging, but when we try to do the same thing in email, it doesn’t work. It passes the literal text. How can we do the same thing in email?

  33. burton says:


    How do you embed diagnostic output in the alert notification?  For example, I have a script-based diagnostic attached to a percent processor utilization performance monitor.  The script lists the top running processes at the time, along with their individual processor utilization percentages.  It returns this information to the alert as a property bag property called 'Result'.  The diagnostic result appears in Health Explorer all right, but I also want to include it in the alert notification.  I would like to use something like this:


    (from:…/ff714576.aspx ), but it does not work.  I have also tried this without success:


    BTW, ditto to David Strebel's question above.


  34. Email Admin says:

    hi thanks nice artical.. but i have one query / help.

    i want to customized My own words like..

    Server Name ,

    Server Role,

    Up –

    Down –

    Down time –

    so can you suggest any way to how we can costomized alert….!

  35. csmeeton says:

    Hi Kevin, I have a rule configured to capture the event log information from id's 644 & 4740, account lockouts.  I have a view setup to filter these account lockouts to just show service accounts in this format using text from the description:  'COMPANYs-%'. This filter works great. However I cannot get the same filter to work when sending out the notification in email. It seems to be all account lockouts or nothing. Any ideas how I can make this work? Thanks!

  36. What's the value for setting SQL Instance name under SCOM Alert Message..?

  37. Abdul Karim says:

    Hello Kevin,

    Recently, I was asked to create a unit monitor to be alerted for any file changes in the environment.

    So, I created an event based timer reset monitor, which targets the security log and a particular ID and a parameter.

    The alerting works fine in SCOM whenever the ID and parameter are triggered together in the event viewer.

    The problem is with the description that is shown in SCOM.

    The event shows proper format of descrption as shown below:

    A handle to an object was requested.


     Security ID:  DOMuser

     Account Name:  user

     Account Domain:  DOM

     Logon ID:  0x1c77b615e


     Object Server:  Security

     Object Type:  File

     Object Name:  DeviceHarddiskVolume7testtestusertestuserHReportstesttest2012user2012Security2012.xlsx

     Handle ID:  0x0

    Process Information:

     Process ID:  0x4

     Process Name:  

    Access Request Information:

     Transaction ID:  {00000000-0000-0000-0000-000000000000}

     Accesses:  DELETE



        ReadData (or ListDirectory)



     Access Reasons:  DELETE: Unknown or unchecked

        READ_CONTROL: Granted by Ownership

        ACCESS_SYS_SEC: Not granted due to missing SeSecurityPrivilege

        ReadData (or ListDirectory): Unknown or unchecked

        ReadEA: Unknown or unchecked

        ReadAttributes: Granted by ACE on parent folder D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)

     Access Mask:  0x1030089

     Privileges Used for Access Check: –

     Restricted SID Count: 0

    However, in the event viewer friendly view (both general and XML) the data is displayed as shown below:


     SubjectUserSid S-1-5-21-3362488545-1801783553-3570299896-4101

     SubjectUserName user

      SubjectDomainName DOM

     SubjectLogonId 0x1c77b615e

     ObjectServer Security

     ObjectType File

     ObjectName  DeviceHarddiskVolume7testtestusertestuserHReportstesttest2012user2012Security2012.xlsx

      HandleId 0x0

     TransactionId {00000000-0000-0000-0000-000000000000}

     AccessList %%1537 %%1538 %%1542 %%4416 %%4419 %%4423  

     AccessReason %%1537: %%1809 %%1538: %%1804 %%1542: %%1810 SeSecurityPrivilege %%4416: %%1809 %%4419: %%1809 %%4423: %%1811 D:(A;OICIID;0x1301bf;;;S-1-5-21-3362488545-1801783553-3570299896-10108)

      AccessMask 0x1030089

     PrivilegeList –

     RestrictedSidCount 0

     ProcessId 0x4


    The same XML data (from friendly view) is displayed in SCOM.

    Is there a way I can get SCOM to read the data from the general view of the eventviewer instead of it reading from the friendly View.

    Any Help will be appreciated.

    Thanks in Advance!


    Abdul Karim

  38. Eric says:

    The event rule variables don't seem to work. I have tried  $Data/EventDescription$ as well as  $Data/Context/EventDescription$ I tried them both in the rule itself and in a SMTP channel for a subscription that fires an email for that rule and always get blank results? Can you confirm where we use these variables, in the rule or alert channel and what they should be for an NT Event Log rule?

  39. Jules says:

    We have the software remedy and if we try to add [$$BLABLA$$] for example. But the $ always gets interpreted as a variable and we need 2 $ because of the remedy.

    Here an example:

    Service Type !1000000099!: [$$Infrastructure Event$$]

    But it's always:

    Service Type !1000000099!: [$Infrastructure Event$]

    In some cases it gets interpreted correctly with 4$ but in some cases not. So do you have a solution for my problem what works for my whole problem?



  40. TeresaTO says:

    I'm trying to update Custom Fields with IP address from text file, is there any suggestions on why I can update the fields with text but not IP?

  41. Ed says:

    Hello and thank you for all the details you have provided to us.

    My question is this – within Monitoring, I've created a rule for EventID = 6000 (Log file is full) – can I pass $Data/LoggingComputer$ to a PowerShell script as a parameter when specifying command line execution settings?

    I want to have it go off and perform event log backup & clear on that remote server.


  42. Jitendra s says:

    Can some one tell me how to add Ip address in case of Linux unix alerts

  43. Anonymous says:

    Hello! I recently had the opportunity of working with a customer who had a pretty simple ask about log

  44. Andrey says:

    Hello. Can anyone help me? I install SCOM 2012 R2. Create some rules and monitors. Also, create subscribers, channels and subscriptions. In one of channel, I add in E-mail message time (Time: $Data/Context/DataItem/LastModifiedLocal$). When Alert is on,
    I see in Monitoring Veiw this alert, and it has in its properties a field"Created: Пт 20.06.2014 17:08:12", but i get in the e-mail "Time: 6/20/2014 5:08:12 PM" !
    Where i must change time format? In system (windows Server 2012 R2) i have Date and time shot format: ddd dd.MM.yyyy and short time: H:mm.
    Thanks 🙂

  45. Andrey says:

    ok, how to change date-time format in channel variable $Data/Context/DataItem/LastModifiedLocal$.

  46. Peter Jestico says:

    Is there a 2012 version of this article?
    A lot of the fields still seem to work but not all so wondered if an updated version existed yet as this has been helpful.
    An example of why I’m asking is that I cant see how to insert the SiteName in an alert so wondering if that’s available in 2012 but wasn’t a value supported for use in 2007?

  47. Muhammad Usman says:

    Is there any way to round off the performance counter values in the alerts and notifications?

    the current CPU % Utilization values shows as 25.102991104125977 %. Can it be rounded-off to an integer to to 2 decimal places like 25 or 25.10

  48. Fawad says:

    I am using SCOM for Network Device monitoring. I am facing one issue. when i remove up link of my switch it shows me the following alert.
    Alert: Network Device is Not Responding
    Path: Not Present
    Last modified by: System
    Last modified time: 8/30/2016 11:57:29 PM
    Alert description: Device ( is not responding to either ICMP or SNMP requests. Use health explorer to further troubleshoot this issue.

    with source IP which is good enough but when i remove any other ports of the same switch it just show me the port information. if i have number of switches in my network then how can i identify that which port goes down of which switch. following is the alert when i remove the cable of any port.

    Alert: Interface Status
    Source: PORT-1.3
    Path: 30-37-A6-E5-68-C1
    Last modified by: System
    Last modified time: 8/30/2016 11:43:59 PM
    Alert description: Interface PORT-1.3 is in an unhealthy state. Use health explorer to further troubleshoot this issue.

    also it is showing me the MAC of my vlan in Path option “Path: 30-37-A6-E5-68-C1” it would be great if we can add IP information of that switch instead of MAC.

    1. Fawad says:

      I find the script that we need to configure in order to get the IP detail along with the Port number.

      Alert: $Data[Default=’Not Present’]/Context/DataItem/AlertName$
      Interface : $Data[Default=’Not Present’]/Context/DataItem/ManagedEntityDisplayName$
      Source Device: $Data[Default=’Not Present’]/Context/DataItem/ManagedEntityFullName$

      set the SMTP channel as mentioned above and you will get the following results.
      Alert: Interface Status
      Interface : PORT-1.3
      Source Device: System.NetworkManagement.NetworkAdapter:30-37-A6-E5-68-C1;PORT-
      Path: 30-37-A6-E5-68-C1

  49. Greg says:

    I can’t seem to find the property for isMonitor to include in emails, so that some technicians who resolve the core issue in the notification will know that the alert doesn’t have to be closed in the console. Any thoughts?

  50. Marc Becker says:

    I’m using performance monitor to write an event and then use that to trigger a task that needs to pass the data from the “countername” variable to the task. I successfully tested this passing the eventid as an argument, but I can’t get it to pass the counter. This is the code I’m using to extract the EventID from event viewer. Event/EventData/Data[@Name=’EventID’]. But when I change EventID to countername, it just passes a null value. Anyone know how to extract this variable from event viewer?

  51. TTU says:

    Great reference. Thanks. I need to send alerts while keeping the names/ip’s of the systems involved as vague as possible, yet still be evident where they’re coming from. Primarily for the person on-call to receive on their personal device. Example:, Server01,, located in Tampa. I know which fields to grab, but any ideas on how I shorten this to S01-4-T, or something like that?
    Thank you.

    1. Kevin Holman says:

      The only way to massage the data like that would be to use something like SCORCH – to modify the alerts after they are generated, get the properties – change as desired, insert them back into custom fields by modifying the alert, then setting resolution state to something that triggers the notification. You can then use your new properties.

Skip to main content