Adding event time to an alert description

We have several “Time” variables, to which you can add to a notification subscription format, which will include a timestamp of something related to the alert.  For instance:



$Data/Context/DataItem/LastModified$                                UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$                         Local Date/Time DataItem was modified
$Data/Context/DataItem/TimeAdded$                                   UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$                           Local Time Added
$Data/Context/DataItem/TimeRaised$                                  UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$                           Local Time Raised
$Data/Context/DataItem/TimeResolved$                              UTC Date/Time the Alert was resolved


However – all of these values are properties of the alert itself.  This is good – as it covers almost all timestamp scenarios of an alert.

The typical Alert description variables for an event rule (from the post above) are:

For event Rules:

EventDisplayNumber (Event ID):             $Data/EventDisplayNumber$
EventDescription (Description):               $Data/EventDescription$
Publisher Name (Event Source):              $Data/PublisherName$
EventCategory:                                    $Data/EventCategory$
LoggingComputer:                                $Data/LoggingComputer$
EventLevel:                                          $Data/EventLevel$
Channel:                                              $Data/Channel$
UserName:                                           $Data/UserName$
EventNumber:                                      $Data/EventNumber$

For event Monitors:

EventDisplayNumber (Event ID):            $Data/Context/EventDisplayNumber$
EventDescription (Description):              $Data/Context/EventDescription$
Publisher Name (Event Source):             $Data/Context/PublisherName$
EventCategory:                                    $Data/Context/EventCategory$
LoggingComputer:                                $Data/Context/LoggingComputer$
EventLevel:                                         $Data/Context/EventLevel$
Channel:                                             $Data/Context/Channel$
UserName:                                          $Data/Context/UserName$
EventNumber:                                     $Data/Context/EventNumber$


But what if – we are creating an event workflow such as an alert generating rule, and we want the actual time of the *event* to show up in the alert?  This is available by looking at the Alert Context tab of the alert properties.

For instance, I have a test rule I use for testing agents, it has a data source of event ID 100, and source = TEST.  When I generate this event – I can see the alert properties has all the actual event details:




So since the runtime is picking up all this data – that generally means I can use *anything* here in my alert description.  To use the event time:


For event rules:   $Data/@time$

For event monitors:   $Data/Context/@time$


Here is an example of my alert description:




And here is the output:



Comments (4)

  1. Hey Kevin!

    Thanks, that's interesting. What about non-standard values out of the alert context? For instance I've got OleDb monitors that return data like

    Date and Time 14.03.2012 12:19:18


    Result Success

    Initialization Time 40

    Open Time 0

    Execution Time 18148

    Fetch Time 0

    Result Set  Input Data Item

    In (at least) that case I also don't get the time from $Data/Context/@time$



  2. Oh man… that was that easy, didn't tried the most obvious method:







  3. Tan says:

    if i would like to have this on all the alerts in the scom, is it possible to have event time on email notification instead of alert itself?

    That means, can i add $data/@time$ in email notification? i tested but not working.. 🙁

  4. andyinsdca says:

    How do I get this info into a Channel? For example, the Office 365 Incident Description is pretty worthless when it comes in an email, but there’s a bunch of good stuff in “Details.” In the Alert description for the O365 incident, there’s $Data/Property[@Name=’Title’]$ so I tried that format in my SMTP channel $Data/Property[@Name=’Details’]$ but I don’t get anything. I’ve tried about a dozen different variations to see if I can get it, but no love. (PS: I can see the property “Details” in the Alert in the DB in the “Context” column)

Skip to main content