database Archives

Hunting quick closing SCOM alerts

12/10/201712/10/2017
by Martin Ehrnst

I had a feeling that we had alot of alerts that closed automatically, very quickly and without any interaction from automation. To get an overview I put together this SQL query to run against the Datawarehouse DB.

The query joins three views and extract the alert Guids, name, ManagedEntity (monitoring object) and alert name.

select Res.AlertGuid, Res.TimeFromRaisedSeconds, Alert.AlertName, Entity.ManagedEntityDefaultName, Entity.ManagedEntityGuid from Alert.vAlertResolutionState AS Res INNER JOIN Alert.vAlert as Alert on Res.AlertGuid = Alert.AlertGuid INNER JOIN vManagedEntity AS Entity on Alert.ManagedEntityRowId = Entity.ManagedEntityRowId where Res.TimeFromRaisedSeconds < '30' AND Res.StateSetByUserId = 'System' AND ResolutionState = '255' AND Alert.RaisedDateTime >= DATEADD(day,-30, GETDATE())

With a little help from my DBA we ended up with this which also group alert name and count the # of alerts for each object
select --Res.AlertGuid --, Res.TimeFromRaisedSeconds COUNT(*) ,Alert.AlertName --, Entity.ManagedEntityDefaultName , Entity.Path , Entity.DisplayName from Alert.vAlertResolutionState AS Res INNER JOIN Alert.vAlert as Alert on Res.AlertGuid = Alert.AlertGuid INNER JOIN vManagedEntity AS Entity on Alert.ManagedEntityRowId = Entity.ManagedEntityRowId where Res.TimeFromRaisedSeconds < '49' AND Res.StateSetByUserId = 'System' AND ResolutionState = '255' AND Alert.RaisedDateTime >= DATEADD(day,-4, GETDATE()) GROUP BY AlertName, Path, DisplayName
For other useful SCOM SQL Queries, take a look at Kevin Holman’s blog

HealthServiceStore.edb file growth

25/03/201508/04/2015
by Martin Ehrnst

A while back i got an alert that system drive on one of our monitored servers was full. When examining what was consuming disk space I noticed that HealthServiceStore.edb, located in the agent’s Health Service State folder was way to large.

HealthServiceStore.edb is where the result of every workflow that runs on this agent is stored and sent to your Management Server(s). An agent running a lot of performance counters (Exchange, SQL etc) will probably have a larger database file than your average file server.

At first, i tried to flush the agents cache wich did not work. The next thing i tried was to run the “online store maintenance” task from OpsMgr console, this task will run a de-fragmentation of the database file.

You can follow the result in the event log, HealthService (7404) Health Service Store: Online defragmentation is beginning a full pass on database ‘<C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Health Service Store\HealthServiceStore.edb>’.

Did this work? No, my database file was still huge.
The next thing to do, is to perform a “Dirty Defrag” on the DB file. To do this,

open your favorite shell and navigate to C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Health Service Store

Stop Healthservice.exe (Microsoft Monitoring Agent)

Run esentutl /r edb (recovery mode)

Start defragmentation by running esentutl /d HealthServiceStore.edb

Your healthservicestore.edb should now have a normal size.

Do you have anything to include, please comment.

Hunting quick closing SCOM alerts

Share this:

HealthServiceStore.edb file growth

Share this: