Using Microsoft Operations Management Suite Search Strings


Summary: Learn how to find and use already created MS OMS search strings.

Good morning everyone. Ed Wilson here. Today, Teresa (aka The Scripting Wife) showed me a video taken by her friend that showed a squirrel trying to steal a coconut. I imagine the squirrel got overwhelmed thinking about how this nut would be the envy of all the other fuzzy headed squirrels, and with this one score, it would feed a family of four for a month.

Sometimes when trying to query MS OMS, I feel a bit like that squirrel. I mean, there is so much data, and it is a bit difficult to get my hands around it.

Note This post is part of a seven part series about using MS OMS Search. The series includes:

Don’t forget the easy way to search MS OMS

I have been writing all week about using Microsoft Operations Management Suite Search. Although it is useful to learn the search syntax and be able to customize the search strings, don’t forget that MS OMS is designed to be easy. This means that for a lot of situations, the query is already created.

Note  When I need to customize a MS OMS search, I like to refer to the OMS Search reference document on Technet.

For example, with the WireData solution installed, there is a new data type: WireData. A simple query to return the wiredata collected for the past week would be:

Type=WireData

If I am interested in local subnet data, however, all I need to do is to click Local Subnets. Here I see that I have 14 local subnets:

Image of menu

The command to group TotalBytes by subnet is shown here:

Type:WireData | Measure Sum(TotalBytes) by LocalSubnet

But I don’t have to create that query string because it automatically is created when I click Local Subnets. I can dive in to a specific subnet that is generating a lot of traffic. I click a particular subnet, and it returns the records for that subnet. The query string changes again. This time it is looking for a particular subnet.

Type:WireData LocalSubnet=”172.16.4.0/22″

The records are shown here:

Image of menu

Each time I select something, I can watch the query string change, and I can see the resulting data. This is actually a pretty good way to learn how the different MS OMS search queries work.

But there is more…much more.

If I scroll to the right column in my WireData solution, I can see that there is a list of common wiredata queries that I can examine and select:

Image of menu

If, for example, I choose the first query in my solution, Agents that provide wiredata, I imagine it will return a list of servers that have the agent installed. To run the query, I click the blue search string. This opens the search string in Search and displays the results. Here are search query that runs and the results:

Type=WireData | measure Sum(TotalBytes) by Computer

Image of menu

So, while I am learning the MS OMS search query syntax, I am not stuck. In fact, I have many ways to peruse the collected data, and with each of these, I have another chance to see more complex search syntax and to learn to modify them on my own.

That is all I have for you today. Join me on Monday when I will talk about examining the #MSOMS configuration. Until then, have a great weekend.

I invite you to follow me on Twitter and the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy! Blog. If you have any questions, send email to me at scripter@microsoft.com. I wish you a wonderful day, and I’ll see you tomorrow.

Ed Wilson
Microsoft Operations Management Team

Comments (1)

  1. Bob Robinson says:

    Ed,

    I am having difficulty in writing a search string for EventID=851 (A change has been made to the Windows Firewall application exception list). I get the alert to fire but no identifying data is contained in the alert. I am an absolute beginner. Any help would be appreciated.

    Bob Robinson

    I

Skip to main content