How to find a specific rule/monitor/discovery in the console – when all you have a more cryptic ID in an alert


Sometimes – we will get a Script Error alert, or WMI failure Alert, or some generic alert, telling us that some OTHER workflow had a problem.  These alerts are NOT the root cause… the root cause is the workflow that gets referenced in the alert. 

The problem is – the alert often gives us a Rule/Monitor/Discovery name, that is not the same as the Common Display Name of the workflow in the console.

For instance – in R2 – we have a new rule that will temporarily disable a workflow that is flooding alerts.  Here is an example of that alert:

Alert generation was temporarily suspended due to too many alerts
A rule has generated 50 alerts in the last 60 seconds. 
Usually, when a rule generates this many alerts, it is because the rule definition is misconfigured. 
Please examine the rule for errors.
In order to avoid excessive load, this rule will be temporarily suspended until 2009-04-17T10:54:33.2764287+01:00.
Rule: Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert
Instance: rms.opsmgr.net
Instance ID: {1219134EC-909D-VA37-1E06-679DD505D87C}
Management Group: OPS

 

Now – to tune, or investigate – we need to understand the problem workflow.  In this case… the problem workflow is a rule, “Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert”

To troubleshoot – we need to find this rule in the console.  However – the console lets us search on the Display Name, not this more cryptic ID.  So here is a query that will help us map that:

 

Rules:

SQL:

select DisplayName from ruleview
where name = 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'

Command Shell:

(Get-Rule | Where {$_.name -match 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'}).DisplayName

 

Discoveries:

SQL:

select DisplayName from DiscoveryView
where name = 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'

Command Shell:

(Get-Discovery| Where {$_.name -match 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'}).DisplayName

 

Monitors:

SQL:

select DisplayName from monitorview
where Name = 'MAPI_logon_failure.Monitor'

Command Shell:

(Get-Monitor| Where {$_.name -match 'MAPI_logon_failure.Monitor'}).DisplayName

 

 

This will output the common display name of the rule/monitor/discovery:

Generic Performance Mapper Module Execution Failure

With this – finding the rule is pretty easy.  One of the fastest ways – is to use search:

 

Tools > Search, then paste in the workflow common display name we got from the query:

 

image

 

Then – click “View Knowledge”  This will bring up the rule properties.  From there – you can view the data source, and get a better idea of what the rule/monitor/discovery does, and how to troubleshoot it.

 

image

Comments (5)

  1. Ah, I see you now updated the post to include my powershell version, not just the SQL queries 😉

  2. Kevin Holman says:

    I added those right after you posted…. I just dont think in terms of powershell.

    🙂

  3. I usually use the command shell for this, by using the Get-Rule, Get-Discovery or Get-Monitor cmdlets.

    Example:

    (Get-Rule | Where {$_.name -match ‘Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert’}).DisplayName

  4. gautam says:

    Nice one. Very helpfull

  5. Kamal says:

    This is Very helpful Nice post

Skip to main content