Skip to content
adatum
  •  SCOM Web API
  • About adatum
Site Search
Operations Manager

Hunting quick closing SCOM alerts

  • 12/10/201712/10/2017
  • by Martin Ehrnst

 

I had a feeling that we had alot of alerts that closed automatically, very quickly and without any interaction from automation. To get an overview I put together this SQL query to run against the Datawarehouse DB.

The query joins three views and extract the alert Guids, name, ManagedEntity (monitoring object) and alert name.


select Res.AlertGuid, Res.TimeFromRaisedSeconds, Alert.AlertName, Entity.ManagedEntityDefaultName, Entity.ManagedEntityGuid from Alert.vAlertResolutionState AS Res
INNER JOIN Alert.vAlert as Alert
on Res.AlertGuid = Alert.AlertGuid
INNER JOIN vManagedEntity AS Entity
on Alert.ManagedEntityRowId = Entity.ManagedEntityRowId
where Res.TimeFromRaisedSeconds < '30' AND Res.StateSetByUserId = 'System' AND ResolutionState = '255' AND Alert.RaisedDateTime >= DATEADD(day,-30, GETDATE())

 

With a little help from my DBA we ended up with this which also group alert name and count the # of alerts for each object

select
--Res.AlertGuid
--, Res.TimeFromRaisedSeconds
COUNT(*)
,Alert.AlertName
--, Entity.ManagedEntityDefaultName
, Entity.Path
, Entity.DisplayName
from Alert.vAlertResolutionState AS Res
INNER JOIN Alert.vAlert as Alert
on Res.AlertGuid = Alert.AlertGuid
INNER JOIN vManagedEntity AS Entity
on Alert.ManagedEntityRowId = Entity.ManagedEntityRowId
where Res.TimeFromRaisedSeconds < '49' AND Res.StateSetByUserId = 'System' AND ResolutionState = '255' AND Alert.RaisedDateTime >= DATEADD(day,-4, GETDATE())
GROUP BY AlertName, Path, DisplayName

For other useful SCOM SQL Queries, take a look at Kevin Holman’s blog

Share this:

  • LinkedIn
  • Twitter
  • Email
Operations Manager

HealthServiceStore.edb file growth

  • 25/03/201508/04/2015
  • by Martin Ehrnst

A while back i got an alert that system drive on one of our monitored servers was full. When examining what was consuming disk space I noticed that HealthServiceStore.edb, located in the agent’s Health Service State folder was way to large.

HealthServiceStore.edb is where the result of every workflow that runs on this agent is stored and sent to your Management Server(s). An agent running a lot of performance counters (Exchange, SQL etc) will probably have a larger database file than your average file server.

At first, i tried to flush the agents cache wich did not work. The next thing i tried was to run the “online store maintenance” task from OpsMgr console, this task will run a de-fragmentation of the database file.
onli

You can follow the result in the event log, HealthService (7404) Health Service Store: Online defragmentation is beginning a full pass on database ‘<C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Health Service Store\HealthServiceStore.edb>’.

Did this work? No, my database file was still huge.
The next thing to do, is to perform a “Dirty Defrag” on the DB file. To do this,

  • open your favorite shell and navigate to C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Health Service Store
  • Stop Healthservice.exe (Microsoft Monitoring Agent)
  • Run esentutl /r edb (recovery mode)
  • Start defragmentation by running esentutl /d HealthServiceStore.edb

esentutl

Your healthservicestore.edb should now have a normal size.

Do you have anything to include, please comment.

Share this:

  • LinkedIn
  • Twitter
  • Email

Top Posts & Pages

  • Creating Azure AD Application using Powershell
  • Maintenance Mode based on Event
  • SCOM 1801 REST API Interfaces
  • Script to add SCOM agent management group
  • SCOM Alerts to Microsoft Teams and Mattermost
  • Microsoft Secure application model
  • Resource health through Azure Rest API
  • Using webhook in scom subscription (POC)
  • HealthServiceStore.edb file growth

Tags

#Serverless #Azure # speaking agent announcements api authoring Automation Azure AzureAD AzureCloudShell AzureFunctions AzureMonitor AzureRM CSP database EventGrid ExpertsLive ExpertsLiveEU Integrations LogAnalytics management pack monitoring MSBuild2018 MSIgnite MSIgnite2017 MSOMS news nicconf OperationsManager OpsMgr Powershell ProjectHonolulu QUickPublish rest SCDPM SCOM SCOM2016 scu2016 SCVMM Serverless SquaredUP SysCtr system center Teams Webasto WindowsAdminCenter

Follow Martin Ehrnst

  • Twitter
  • LinkedIn

RSS Feed RSS - Posts

RSS Feed RSS - Comments

Adatum.no use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Cookie Policy
Theme by Colorlib Powered by WordPress
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.