This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

This article explains how to create an expression in the Advanced Criteria option when scoping a section to show alerts.

Filters

When configuring an Alerts section the Filters section give you some basic options for filtering the Alerts returned:


Scope - Advanced - Criteria

The Scope - Advanced - Criteria section allows you to more precisely filter alerts by creating a specific expression to refine the list of alerts.


For example:

Owner = 'mydomain\user2'



Criteria will work with any Filters, but when using an expression in Criteria you may prefer to set the 'Filters' options to 'Any'.


Useful operators

=

equals

!=

does not equal

LIKE


%

as a wild card

AND


OR


See the following Microsoft pages for more information about syntax and operators:

Criteria Expression Syntax


Properties

The property names are case sensitive, i.e. it must be Name, not name; ResolutionState not ResolutionstateUseful properties for use in Criteria expressions include:


Property Name  Values

Name


ResolutionState

Default Resolution States are:
0 = New
249 = Acknowledged
248 = Assigned to Engineering
247 = Awaiting Evidence
254 = Resolved
250 = Scheduled
255 = Closed

Severity

Severity levels for alerts:
2 = Critical/Error
1 = Warning
0 = Information

Priority 

Priority levels for alerts:
2 = High
1 = Medium
0 = Low

MonitoringObjectHealthState

HealthStates are:
1 = Healthy
2 = Warning
3 = Critical
0 = Unmonitored

MonitoringObjectInMaintenanceMode

 

Owner

 

Also see valid property names for alerts criteria: MonitoringAlertCriteria Class


Severity=2 is the same as selecting Severity of 'error' in the Filters section.

Example Criteria

Alerts you would like to see

Criteria

Only new alerts ResolutionState = 0
Alerts that are not closed ResolutionState != 255
Alerts that are not resolved ResolutionState != 254 (or ResolutionState <> 254)
List warning and high priority alerts Severity=2 OR Priority=2
Alerts that are not 'information', i.e. Warning or Critical alerts Severity !=0
Alerts for objects in a particular health state MonitoringObjectHealthState = 2
Alerts for servers that are in maintenance mode MonitoringObjectInMaintenanceMode = 1
All those not in maintenance mode MonitoringObjectInMaintenanceMode = 0
Alerts with a specific owner Owner = 'mydomain\username'
Alerts with no owner Owner IS NULL
To alerts with a particular name Name = 'Failed to Connect to Computer'
or
Name LIKE '%f
ailed%'
Closed alerts where owner is not test Owner !='mydomain\test' AND ResolutionState = 255
Alerts that do not start with 'Web Application' and do not mention IIS NOT (Name = 'Web Application' OR Name like '%IIS%')
All Alerts for particular objects (MonitoringObjectPath LIKE '%Server4%' OR MonitoringObjectPath LIKE '%Server3%')


Alert Description

Searching on alert description depends on how this is written to the data warehouse by your management pack, this can be under either AlertParams or Description. When filtering on alerts you will want to use both to ensure that this captures either case. An example of filtering alerts based on their description is as follows, AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%'.


See also:
How to set the Scope using the Dashboard Designer

How to use criteria when scoping objects

How to create a dashboard grouping Alerts by Severity