How to find a specific rule/monitor/discovery in the console – when all you have a more cryptic ID in an alert
Sometimes – we will get a Script Error alert, or WMI failure Alert, or some generic alert, telling us that some OTHER workflow had a problem. These alerts are NOT the root cause… the root cause is the workflow that gets referenced in the alert.
The problem is – the alert often gives us a Rule/Monitor/Discovery name, that is not the same as the Common Display Name of the workflow in the console.
For instance – in R2 – we have a new rule that will temporarily disable a workflow that is flooding alerts. Here is an example of that alert:
Alert generation was temporarily suspended due to too many alerts
A rule has generated 50 alerts in the last 60 seconds.
Usually, when a rule generates this many alerts, it is because the rule definition is misconfigured.
Please examine the rule for errors.
In order to avoid excessive load, this rule will be temporarily suspended until 2009-04-17T10:54:33.2764287+01:00.
Rule: Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert
Instance: rms.opsmgr.net
Instance ID: {1219134EC-909D-VA37-1E06-679DD505D87C}
Management Group: OPS
Now – to tune, or investigate – we need to understand the problem workflow. In this case… the problem workflow is a rule, “Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert”
To troubleshoot – we need to find this rule in the console. However – the console lets us search on the Display Name, not this more cryptic ID. So here is a query that will help us map that:
Rules:
SQL:
select DisplayName from ruleview
where name = 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'
Command Shell:
(Get-Rule | Where {$_.name -match 'Microsoft.SystemCenter.GenericNTPerfMapperModule.FailedExecution.Alert'}).DisplayName
Discoveries:
SQL:
select DisplayName from DiscoveryView
where name = 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'
Command Shell:
(Get-Discovery| Where {$_.name -match 'Microsoft.Office.Sharepoint.Server.2007.MOSS.Server.Discovery'}).DisplayName
Monitors:
SQL:
select DisplayName from monitorview
where Name = 'MAPI_logon_failure.Monitor'
Command Shell:
(Get-Monitor| Where {$_.name -match 'MAPI_logon_failure.Monitor'}).DisplayName
This will output the common display name of the rule/monitor/discovery:
Generic Performance Mapper Module Execution Failure
With this – finding the rule is pretty easy. One of the fastest ways – is to use search:
Tools > Search, then paste in the workflow common display name we got from the query:
Then – click “View Knowledge” This will bring up the rule properties. From there – you can view the data source, and get a better idea of what the rule/monitor/discovery does, and how to troubleshoot it.
