.\Matthew Long

{An unsorted collection of thoughts}

Using the System.LogicalSet.ExpressionFilter in SCOM Management Packs

Posted by Matthew on June 14, 2012

What is it?

The System.LogicalSet.ExpressionFilter is a Condition Detection module that functions in a similar fashion to the System.ExpressionFilter module, except it allows you to evaluate multiple data items (usually Property Bags) as a group and then act based if any (or all) of the objects in the group match your criteria.

What is it used for?

You can use this module wherever you have a group of data items that you need to act upon only if all (or any number) meet a certain criteria.  Note that you can’t specify how many items must match, only that either all of them should match or at least 1.  If you need to have access to that kind of filtering, you need to use a Consolidator.

Some common examples include processing health state information for multiple performance counters, viewing the execution history of jobs or scheduled tasks, or checking the health of multiple components at once.  You can also use this to replace scripts that often check lots of criteria and produce a single healthy/unhealthy status code based on the evaluation of all of the criteria, which may open further opportunities to make use of cookdown between your workflows.  I’ll give an example of this below in the example Scenarios.

When using this in monitoring workflows, you will most likely be using the System.LogicalSet.ExpressionFilter for the Healthy health state (all items don’t match your unhealthy criteria) and then regular ExpressionFilters for your unhealthy state(s).


Essentially, the configuration for this module is exactly the same as an ExpressionFilter, except you have two new Attributes.

EmptySet allows you to control what happens if no data items are provided to the module in the workflow

  • Passthrough – carries on the workflow to the next module.
  • Block- terminate the workflow at this module.

SetEvaluation allows you to specify if the group of data items should be passed on to the next workflow if

  • Any – If at least one item matches the expression filter, pass on all items.
  • All  – Only pass on items if ALL items match the expression filter.

It’s also worth noting, that since all data items that are passed along the workflow to output will be returned as Alert Context, this can make it very helpful when correlating items (often it’s not the matching log line you need, but the ones before and after that help you troubleshoot the problem!).  Just set the SetEvalaution attribute to Any.

Example Scenarios

Job Execution History / Previous Events Monitor

In this scenario, we are looking at multiple Property Bags that each describe a Job instance or perhaps an Event Log Entry every 10 minutes.  We only want to return a healthy state if none of the instances/events match unhealthy criteria.  If one or more do, then we want to flag an unhealthy state.  I’ve configured the below example as if i was receiving a property bag with job data, but you could substitute that for event codes, or really anything else that may appear in your data items.

Healthy State Module : System.LogicalSet.ExpressionFilter

  • Expression:
<XPathQuery Type="String">Property[@Name='JobStatus']
               <Value Type="String">Success</Value>
  • EmptySet: PassThrough
  • SetEvaluation: All

Unhealthy State Module: System.ExpressionFilter

  • Expression:
                <XPathQuery Type="String">Property[@Name='JobStatus']</XPathQuery>
                <Value Type="String">Success</Value>

Replacing multiple Check logic in Scripts

The idea here is that we may have a script-based datasource that checks multiple aspects of an object to determine if it is healthy.  The script then has some internal logic (usually via If checks and And/Or expressions)  to sum up all of the checks and provide a health status based on the sum of all of the checks.  This is all very well and good, but what if we need to create a second monitor/rule/diagnostic that only depends on one (or a selection) of these checks?  We are going to have to implement another script (using most likely 90% of the same code) to provide that data, and now manage edits between the two scripts to keep them up to date.

Instead, what we could do is provide multiple property bags from our script, each one providing the pass/fail status of each check individually.  Then using System.LogicalSet.ExpressionFilters for our Healthy Condition and regular System.ExpressionFilters for our unhealthy condition(s) we can detect if any check failed.  If we want to raise unhealthy conditions only if ALL checks failed, then you just swap the two around, using System.LogicalSet.ExpressionFilters for your unhealthy states.

Multi-Instance Perfmon Counters

Essentially the idea here is that you want to monitor a performance counter with multiple instances, and you want to be alerted if any one of the instances (or perhaps all) trigger a certain threshold.  There is a great example of this already written up at the Operations Manager team blog, which i’ve linkced to below.

Checking Returned Rows from a Database

This one is pretty simple, using an System.OleDBProbe you can retrieve rows based on a Query from a database, and then check the rowset to see if any/all rows match your criteria.  Just make sure you configure the OleDBProbe to return a data item for each row, rather than all in one item!


Hope that helps someone out.  If you have any specific examples you’d like me to walk through, just post a comment and I’ll see what I can do!


3 Responses to “Using the System.LogicalSet.ExpressionFilter in SCOM Management Packs”

  1. […] Using the System.LogicalSet.ExpressionFilter in SCOM Management Packs […]

    • Patrick said

      Hey Matthew!

      Great blog, thanks for sharing!
      I’m struggling arround with OleDb an multi-instance data.

      Do you have an example for that?

      Currently I do the usual step but it works not as it should.
      I have the following expressions:













      It seems to work but I had a case where a warning value was in the 4th line and still the monitor changed to healthy.
      Any idea how to solve that?

      Further, how does the filter works in case of data, where the first is unhealthy and the following ones are healthy?

      It’s a bit unclear and not that good documented.

      Thanks for your time and again: great job!


      • Matthew said

        Hi Patrick,

        I’m assuming that you are setting the OneRowPerItem setting in your OLEDB module to True? (discussed here https://matthewlong.wordpress.com/2012/06/23/query-a-database-without-scripting-as-part-of-scom-monitoring-the-system-oledbprobe-module/)

        If you have this set to false, you’ll only get a single data item for all of your rows, and the LogicalSet.ExpressionFilter will process them all as one big data item (meaning your Columns XPath references will need to explicitly reference every possible row – not good).

        Your monitor will behave inconsistently if the expression filters for Healthy and Unhealthy both match at the same time, you MUST make sure that they are mutually exclusive so that if one evaluates to true the other cannot. The likely the culprit is that the Warning filter logic; as it currently stands it must match when at least 1 item is in a warning state, but NOT if any are in a critical state. Unfortunately the Set Evaluation mode for a LogicalSet.Expression filter doesn’t have that kind of functionality, it’s either all or nothing. As such, you’ll need to make you’ve:

        -Configured your OLEDB probe module to output Multiple items of data (OneRowPerItem should be set to True)
        -Make sure that ALL of your health state filters are LogicalSet.Expression filters
        -The Healthy filter Set Evaluation mode is set to All. This means that if any item is unhealthy, the filter will block all items and this health state won’t match.
        -The Critical filter Set Evaluation Mode is set to Any. This means that if any 1 item is Critical, the filter will pass all items and this health state will match.
        -The Warning filter Set Evaluation mode is set to All. You’ll then need to add in an additional normal System.ExpressionFilter before this module in the Warning health state workflow, that is set to only pass items where the column value is GreaterEqual the Warning Threshold (don’t include the Less than logic for the critical threshold value here, you NEED it to pass on if there are critical items too).

        What this will mean is that if every item is healthy, only the Healthy filter will match. If any item is critical, only the critical filter will match. If at least 1 item is in the warning range, and no items are critical, only the Warning filter will match.

        If all else fails, the workflow analyser can be used to see the results of the Expression filter comparisons, so you can see what logic passed/blocked each data item in the workflow. The output of the tool however isn’t documented, and is absolutely not for the feint of heart!

        Hope that helps, and sorry for the late reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s