How to use criteria when scoping alerts
This article explains how to filter alerts using advanced criteria when using the alerts tile. For full details of the options available when configuring an Alerts tile, such as filtering, see How to use the Alerts tile.
For more information about the basic scoping options see How to scope tiles
For advanced criteria for scoping objects see How to use criteria when scoping objects.
Scope Criteria
The Criteria option under Scope -> Advanced allows you to more precisely filter alerts by creating a specific expression to refine the list of alerts.
For example, Owner = 'sales\cash' will return only alerts where the Cash user has been assigned as an owner of the alert:
Name LIKE '%failed%' would only display alerts where the alert name includes "failed":
Criteria will work with any configured Filters, but when using an expression in Criteria you may prefer to set the Filters options to Any so filtering is only occurring from one source.
Useful operators
The table below shows some of the common operators and wildcards you can use when defining a criteria expression.
Operator | Effect |
|---|---|
= | equals |
!= | does not equal |
< | less than |
> | greater than |
LIKE | simple pattern matching |
% | matches any number of characters when used with LIKE |
_ | matches any single character when used with LIKE |
MATCHES | full .net regular expression matching |
AND | test if two conditions are both true |
OR | test if either of two conditions are true |
See the following Microsoft pages for more information on the syntax and a full list of and operators:
Alert Properties
Property names are case sensitive, i.e. it must be Name, not name; ResolutionState not Resolutionstate. Useful properties for use in Criteria expressions include:
Property Name | Values |
|---|---|
Name | The name of the alert |
Description | Depending on how this is written to the Data Warehouse by your management pack, the description can be stored under either AlertParams or Description. When filtering on alerts you will want to use both to ensure that this captures either case, for example: AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%' |
ResolutionState | Default Resolution States are: 0 = New 249 = Acknowledged 248 = Assigned to Engineering 247 = Awaiting Evidence 254 = Resolved 250 = Scheduled 255 = Closed |
Severity | Severity levels for alerts: 2 = Critical/Error 1 = Warning 0 = Information Severity=2 is the same as selecting Severity of error in the Filters section. |
Priority | Priority levels for alerts: 2 = High 1 = Medium 0 = Low |
MonitoringObjectHealthState | HealthStates are: 1 = Healthy 2 = Warning 3 = Critical 0 = Unmonitored |
MonitoringObjectInMaintenanceMode | 1 if in maintenance mode, otherwise 0 |
Owner | will be NULL if unassigned |
See the Remarks section in the following Microsoft article for valid property names in alert criteria:
Example Criteria
The following table provides you with some example filters that are commonly used by dashboard authors.
Many of the examples can be achieved purely by using the Filters section, but they are included here to demonstrate the syntax and use of properties.
Alerts you would like to see | Criteria |
|---|---|
Only new alerts | ResolutionState = 0 |
Alerts that are not closed | ResolutionState != 255 |
Alerts that are not resolved | ResolutionState != 254 |
List critical or high priority alerts | Severity=2 OR Priority=2 |
Alerts that are not Information, i.e. Warning or Critical alerts | Severity !=0 |
Alerts for objects in a warning health state | MonitoringObjectHealthState = 2 |
Alerts for servers that are in maintenance mode | MonitoringObjectInMaintenanceMode = 1 |
All those not in maintenance mode | MonitoringObjectInMaintenanceMode = 0 |
Alerts with a specific owner | Owner = 'domain\username' |
Alerts with no owner | Owner IS NULL |
Alerts with a particular name | Name = 'Failed to Connect to Computer' |
Alerts with a similar name | Name LIKE '%failed%' |
Alerts with a particular description (using either AlertParams or Description) | AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%' |
Closed alerts where owner is not test | Owner !='domain\test' AND ResolutionState = 255 |
Alerts that do not start with 'Web Application' and do not mention IIS | NOT (Name = 'Web Application' OR Name like '%IIS%') |
All alerts for particular objects | (MonitoringObjectPath LIKE '%Server4%' OR MonitoringObjectPath LIKE '%Server3%') |
Alerts modified by users, not updated automatically | LastModifiedBy != 'system' |