Adding event time to an alert description


We have several “Time” variables, to which you can add to a notification subscription format, which will include a timestamp of something related to the alert.  For instance:

From: http://blogs.technet.com/kevinholman/archive/2007/12/12/adding-custom-information-to-alert-descriptions-and-notifications.aspx

 

$Data/Context/DataItem/LastModified$                                UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$                         Local Date/Time DataItem was modified
$Data/Context/DataItem/TimeAdded$                                   UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$                           Local Time Added
$Data/Context/DataItem/TimeRaised$                                  UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$                           Local Time Raised
$Data/Context/DataItem/TimeResolved$                              UTC Date/Time the Alert was resolved

 

However – all of these values are properties of the alert itself.  This is good – as it covers almost all timestamp scenarios of an alert.

The typical Alert description variables for an event rule (from the post above) are:

For event Rules:

EventDisplayNumber (Event ID):             $Data/EventDisplayNumber$
EventDescription (Description):               $Data/EventDescription$
Publisher Name (Event Source):              $Data/PublisherName$
EventCategory:                                    $Data/EventCategory$
LoggingComputer:                                $Data/LoggingComputer$
EventLevel:                                          $Data/EventLevel$
Channel:                                              $Data/Channel$
UserName:                                           $Data/UserName$
EventNumber:                                      $Data/EventNumber$

For event Monitors:

EventDisplayNumber (Event ID):            $Data/Context/EventDisplayNumber$
EventDescription (Description):              $Data/Context/EventDescription$
Publisher Name (Event Source):             $Data/Context/PublisherName$
EventCategory:                                    $Data/Context/EventCategory$
LoggingComputer:                                $Data/Context/LoggingComputer$
EventLevel:                                         $Data/Context/EventLevel$
Channel:                                             $Data/Context/Channel$
UserName:                                          $Data/Context/UserName$
EventNumber:                                     $Data/Context/EventNumber$

 

But what if – we are creating an event workflow such as an alert generating rule, and we want the actual time of the *event* to show up in the alert?  This is available by looking at the Alert Context tab of the alert properties.

For instance, I have a test rule I use for testing agents, it has a data source of event ID 100, and source = TEST.  When I generate this event – I can see the alert properties has all the actual event details:

 

image

 

So since the runtime is picking up all this data – that generally means I can use *anything* here in my alert description.  To use the event time:

 

For event rules:   $Data/@time$

For event monitors:   $Data/Context/@time$

 

Here is an example of my alert description:

 

image

 

And here is the output:

 

image

Comments (7)

  1. Hey Kevin!

    Thanks, that's interesting. What about non-standard values out of the alert context? For instance I've got OleDb monitors that return data like

    Date and Time 14.03.2012 12:19:18

    HRESULT 0

    Result Success

    Initialization Time 40

    Open Time 0

    Execution Time 18148

    Fetch Time 0

    Result Set  Input Data Item

    In (at least) that case I also don't get the time from $Data/Context/@time$

    Thanks,

    Patrick

  2. Oh man… that was that easy, didn't tried the most obvious method:

    $Data/Context/Result$

    $Data/Context/ResultLength$

    $Data/Context/ExecutionTime$

    $Data/Context/ResultCode$

    Cheers,

    Patrick

  3. Tan says:

    if i would like to have this on all the alerts in the scom, is it possible to have event time on email notification instead of alert itself?

    That means, can i add $data/@time$ in email notification? i tested but not working.. 🙁

  4. andyinsdca says:

    How do I get this info into a Channel? For example, the Office 365 Incident Description is pretty worthless when it comes in an email, but there’s a bunch of good stuff in “Details.” In the Alert description for the O365 incident, there’s $Data/Property[@Name=’Title’]$ so I tried that format in my SMTP channel $Data/Property[@Name=’Details’]$ but I don’t get anything. I’ve tried about a dozen different variations to see if I can get it, but no love. (PS: I can see the property “Details” in the Alert in the DB in the “Context” column)

    1. I just ran across this issue today as well. Like andyinsdca, I’d like to know how to add the Alert Context Details property to an email notification channel. Thanks!

      1. Kshitij Verma says:

        Same issue.. Tried many steps to add Alert context details in my channel but no luck.. If anyone having solution pls update..

        1. Kevin Holman says:

          Have you tried: $Data[Default=’Not Present’]/Context$

Skip to main content