How to find a specific rule/monitor/discovery in the console – when all you have a more cryptic ID in an alert

Sometimes – we will get a Script Error alert, or WMI failure Alert, or some generic alert, telling us that some OTHER workflow had a problem.  These alerts are NOT the root cause… the root cause is the workflow that gets referenced in the alert. 

The problem is – the alert often gives us a Rule/Monitor/Discovery name, that is not the same as the Common Display Name of the workflow in the console.

For instance – in R2 – we have a new rule that will temporarily disable a workflow that is flooding alerts.  Here is an example of that alert:

Alert generation was temporarily suspended due to too many alerts
A rule has generated 50 alerts in the last 60 seconds. 
Usually, when a rule generates this many alerts, it is because the rule definition is misconfigured. 
Please examine the rule for errors.
In order to avoid excessive load, this rule will be temporarily suspended until 2009-04-17T10:54:33.2764287+01:00.
Rule: Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert
Instance ID: {1219134EC-909D-VA37-1E06-679DD505D87C}
Management Group: OPS


Now – to tune, or investigate – we need to understand the problem workflow.  In this case… the problem workflow is a rule, “Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert”

To troubleshoot – we need to find this rule in the console.  However – the console lets us search on the Display Name, not this more cryptic ID.  So here is a query that will help us map that:




select DisplayName from ruleview
where name = 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'

Command Shell:

(Get-Rule | Where {$ -match 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'}).DisplayName




select DisplayName from DiscoveryView
where name = 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'

Command Shell:

(Get-Discovery| Where {$ -match 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'}).DisplayName




select DisplayName from monitorview
where Name = 'MAPI_logon_failure.Monitor'

Command Shell:

(Get-Monitor| Where {$ -match 'MAPI_logon_failure.Monitor'}).DisplayName



This will output the common display name of the rule/monitor/discovery:

Generic Performance Mapper Module Execution Failure

With this – finding the rule is pretty easy.  One of the fastest ways – is to use search:


Tools > Search, then paste in the workflow common display name we got from the query:




Then – click “View Knowledge”  This will bring up the rule properties.  From there – you can view the data source, and get a better idea of what the rule/monitor/discovery does, and how to troubleshoot it.



Comments (5)

  1. Ah, I see you now updated the post to include my powershell version, not just the SQL queries 😉

  2. Kevin Holman says:

    I added those right after you posted…. I just dont think in terms of powershell.


  3. I usually use the command shell for this, by using the Get-Rule, Get-Discovery or Get-Monitor cmdlets.


    (Get-Rule | Where {$ -match ‘Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert’}).DisplayName

  4. gautam says:

    Nice one. Very helpfull

  5. Kamal says:

    This is Very helpful Nice post

Skip to main content