If you need to use any non-string data type in the criteria for custom Rules and Monitors, you’ll need to edit the XML in order for it to work properly.  By default, OpsMgr will treat everything as a String value and the Rule/Monitor will not work properly.

 

For example, I created a rule to watch for Event ID 1000 in the Application Log and throw an Alert if Parameter 1 is greater than 20.  Here is the Rule criteria:

 

image

image

 

Using Event Log Explorer (awesome tool for testing, get it here), I generate Event 1000 with Parameter 1 set to 9:

image

 

I then received the following alert:

image

 

The reason I received this alert is that if OpsMgr is evaluating Parameter 1 as a String Value, then 9 would be greater than 20 (since 9 is greater than 2).

To correct, this I’ll need to edit the XML of the rule to change the data type to Integer.

So, I export the Management Pack that contains this Rule and look at the XML.

 

Here is the full XML of the Rule.  The expression that we are concerned with is highlighted in green, and the part we need to change is in red.

 

<Rule ID="MomUIGeneratedRuleb80bc5a17ec4486185215843882c0046" Enabled="true" Target="MicrosoftWindowsLibrary6062780!Microsoft.Windows.Computer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
  <Category>Custom</Category>
  <DataSources>
    <DataSource ID="DS" TypeID="MicrosoftWindowsLibrary6062780!Microsoft.Windows.EventProvider">
      <ComputerName>$Target/Property[Type="MicrosoftWindowsLibrary6062780!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
      <LogName>Application</LogName>
      <Expression>
        <And>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
              </ValueExpression>
              <Operator>Equal</Operator>
              <ValueExpression>
                <Value Type="UnsignedInteger">1000</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>
          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery Type="String">Params/Param[1]</XPathQuery>
              </ValueExpression>
              <Operator>Greater</Operator>
              <ValueExpression>
                <Value Type="String">20</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>

        </And>
      </Expression>
    </DataSource>
  </DataSources>
  <WriteActions>
    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
      <Priority>1</Priority>
      <Severity>2</Severity>
      <AlertOwner />
      <AlertMessageId>$MPElement[Name="MomUIGeneratedRuleb80bc5a17ec4486185215843882c0046.AlertMessage"]$</AlertMessageId>
      <AlertParameters>
        <AlertParameter1>$Data/Params/Param[1]$</AlertParameter1>
      </AlertParameters>
      <Suppression />
      <Custom1 />
      <Custom2 />
      <Custom3 />
      <Custom4 />
      <Custom5 />
      <Custom6 />
      <Custom7 />
      <Custom8 />
      <Custom9 />
      <Custom10 />
    </WriteAction>
  </WriteActions>
</Rule>

 

To get this rule to work as expected, we’ll need to change “String” to “Integer”

          <Expression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery Type="Integer">Params/Param[1]</XPathQuery>
              </ValueExpression>
              <Operator>Greater</Operator>
              <ValueExpression>
                <Value Type="Integer">20</Value>
              </ValueExpression>
            </SimpleExpression>
          </Expression>

So, I make the change to the XML, update the version number of the MP, and reimport it.

I create the same event on the agent an no longer get alerted on it.

The possible data types that can be used here are:

"Boolean"
"Integer"
"UnsignedInteger"
"Double"
"Duration"
"DateTime"
"String"