How to use criteria when scoping alerts

This article explains how to filter alerts using advanced criteria when using the alerts tile. For full details of the options available when configuring an Alerts tile, such as filtering, see How to use the Alerts tile.

For more information about the basic scoping options see How to scope tiles

For advanced criteria for scoping objects see How to use criteria when scoping objects.

Scope Criteria

The Criteria option under Scope -> Advanced allows you to more precisely filter alerts by creating a specific expression to refine the list of alerts.

For example, Owner = 'sales\cash' will return only alerts where the Cash user has been assigned as an owner of the alert:

Name LIKE '%failed%' would only display alerts where the alert name includes "failed":

Criteria will work with any configured Filters, but when using an expression in Criteria you may prefer to set the Filters options to Any so filtering is only occurring from one source.

Useful operators

The table below shows some of the common operators and wildcards you can use when defining a criteria expression.

Operator	Effect
=	equals
!=	does not equal
<	less than
>	greater than
LIKE	simple pattern matching
%	matches any number of characters when used with LIKE
_	matches any single character when used with LIKE
MATCHES	full .net regular expression matching
AND	test if two conditions are both true
OR	test if either of two conditions are true

See the following Microsoft pages for more information on the syntax and a full list of and operators:

Criteria Expression Syntax

Alert Properties

Property names are case sensitive, i.e. it must be Name, not name; ResolutionState not Resolutionstate. Useful properties for use in Criteria expressions include:

Property Name	Values
Name	The name of the alert
Description	Depending on how this is written to the Data Warehouse by your management pack, the description can be stored under either AlertParams or Description. When filtering on alerts you will want to use both to ensure that this captures either case, for example: `AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%'`
ResolutionState	Default Resolution States are: 0 = New 249 = Acknowledged 248 = Assigned to Engineering 247 = Awaiting Evidence 254 = Resolved 250 = Scheduled 255 = Closed
Severity	Severity levels for alerts: 2 = Critical/Error 1 = Warning 0 = Information `Severity=2` is the same as selecting Severity of error in the Filters section.
Priority	Priority levels for alerts: 2 = High 1 = Medium 0 = Low
MonitoringObjectHealthState	HealthStates are: 1 = Healthy 2 = Warning 3 = Critical 0 = Unmonitored
MonitoringObjectInMaintenanceMode	1 if in maintenance mode, otherwise 0
Owner	will be NULL if unassigned

See the Remarks section in the following Microsoft article for valid property names in alert criteria:

MonitoringAlertCriteria Class

Example Criteria

The following table provides you with some example filters that are commonly used by dashboard authors.

Many of the examples can be achieved purely by using the Filters section, but they are included here to demonstrate the syntax and use of properties.

Alerts you would like to see	Criteria
Only new alerts	`ResolutionState = 0`
Alerts that are not closed	`ResolutionState != 255`
Alerts that are not resolved	`ResolutionState != 254`
List critical or high priority alerts	`Severity=2 OR Priority=2`
Alerts that are not Information, i.e. Warning or Critical alerts	`Severity !=0`
Alerts for objects in a warning health state	`MonitoringObjectHealthState = 2`
Alerts for servers that are in maintenance mode	`MonitoringObjectInMaintenanceMode = 1`
All those not in maintenance mode	`MonitoringObjectInMaintenanceMode = 0`
Alerts with a specific owner	`Owner = 'domain\username'`
Alerts with no owner	`Owner IS NULL`
Alerts with a particular name	`Name = 'Failed to Connect to Computer'`
Alerts with a similar name	`Name LIKE '%failed%'`
Alerts with a particular description (using either AlertParams or Description)	`AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%'`
Closed alerts where owner is not test	`Owner !='domain\test' AND ResolutionState = 255`
Alerts that do not start with 'Web Application' and do not mention IIS	`NOT (Name = 'Web Application' OR Name like '%IIS%')`
All alerts for particular objects	`(MonitoringObjectPath LIKE '%Server4%' OR MonitoringObjectPath LIKE '%Server3%')`
Alerts modified by users, not updated automatically	`LastModifiedBy != 'system'`

Was this article helpful?

Have more questions or facing an issue?

Submit a ticket