.\Matthew Long

{An unsorted collection of thoughts}

Posts Tagged ‘Operations Manager 2012’

SCOM 2012: Runbook to get SCOM Group membership in System Center Orchestrator

Posted by Matthew on May 15, 2014

A quick one today sharing a useful runbook that I’ve used a couple of times now – getting the list of SCOM groups that a Monitored SCOM object is a member of.  The runbook is basically a powershell script (isn’t it always!) that recursively parses group membership by navigating the System.Containment Relationships between the given monitored object and anything inheriting from the group class.  This means..

  1. It works on all groups (both from sealed MPs and user created ones).
  2. It works on anything based on a Containment relationship (so anything other than a reference relationship, which meaningfully is all the valid ones for considering group membership)
  3. It supports nested groups and indirect membership (so if a computer is a member of a group, and you query membership for a logical disk in that computer, it is counted as being in the group).

In terms of output, the runbook reports the name of the group, the name of the object that is actually the direct member of the group, and the SCOM class of the object that is the direct member of the group. This is mostly very useful when you are building automated ticketing or notification workflows (if a member of a given group, assign to or alert a specific team), but also useful for automated triage scenarios (i.e. if the computer is a member of the SQL servers group, automated patching should include these extra steps…)

The Script

As is often the case, this script has been written for Orchestrator in mind, so make sure you populate the variables on lines 3,5 and 8.  If your Runbook Server service account already has access to SCOM, you can remove line 3 and take the -Credential $cred off of line 5.

Import-Module "C:\Program Files\System Center 2012\Operations Manager\Powershell\OperationsManager"

$cred = new-object "System.Management.Automation.PSCredential" ("SCOM Username", (ConvertTo-SecureString "SCOM Password" -AsPlainText -Force))

New-SCOMManagementGroupConnection -ComputerName "SCOM Management Server" -Credential $cred

$mg = Get-SCOMManagementGroup
$monitoringObject = Get-ScomClassInstance -Id "Monitoring Object ID"

$groupClass = Get-SCOMClass -Name System.Group
$relationship = $mg.GetmonitoringRelationshipClass([Microsoft.EnterpriseManagement.Configuration.SystemRelationship]::Containment)
$groups = $monitoringObject.GetMonitoringRelationshipObjectsWhereTarget($relationship, [Microsoft.EnterpriseManagement.Configuration.DerivedClassTraversalDepth]::Recursive, [Microsoft.EnterpriseManagement.Common.TraversalDepth]::Recursive) | where {$_.isDeleted -eq $false -and $_.SourceObject.GetLeastDerivedNonAbstractMonitoringClass().IsSubClassOf($groupClass)}
$groupOutput = @()
$groupMember = @()
$memberClass = @()

ForEach ($group in $groups)
$groupOutput += $group.SourceObject.DisplayName
$groupMember += $group.TargetObject
$memberClass += $group.TargetObject.GetLeastDerivedNonAbstractClass().DisplayName

#Set results into Published Variables.
$Output = $groupOutput
$OutputMemberClass = $memberClass
$OutputMember = $groupMember

The Runbook

The runbook below is designed to be a worker/child runbook that returns multi value data – specifically one object for each group that the object is a member of.  If you need to process this as a single activity, I’d recommend enabling the “Flatten” option on the Behaviour tab of either the Invoke runbook activity used to call this runbook, or on the .net script activity directly if you always want it to return a single string that is delimited by a character.


Initialize Data

Init Data

.Net Script Returned Data Tab

Net Script Data

Return Data

Returned Data

Simple but powerful – just what we like around here 🙂  Hope this helps!


Posted in Computing | Tagged: , , , , , | Leave a Comment »

Upgrading Systems Center Operations Manager 2012 to R2

Posted by Matthew on October 25, 2013

Rob Kuehfus just posted on his blog his process for upgrading SCOM 2012 to R2 (full disclosure, Rob is one of my colleagues).

Anything that has that many screenshots is always helpful when tackling the process yourself.  Rob does note however (and I feel I should reiterate):

warningThis blog post is intended to be used as a reference when upgrading to System Center 2012 R2 Operations Manager. It is not intended to be used in place of the official Microsoft documentation. Please review the upgrade guidance from Microsoft located here


Check out the post (and other useful articles) over at http://itprovssoftware.wordpress.com/2013/10/25/it-pro-vs-scom-2012-r2-upgrade/

Posted in Computing | Tagged: , , | Leave a Comment »

SCOM – Updated Visual Studio Authoring Extensions released

Posted by Matthew on October 21, 2013

Hi Guys,

A new version of the System Center Visual Studio Authoring Extensions has now been released, featuring many bugfixes, improvements and enhancements.  One of these that I’ve long been awaiting is..

Visual Studio 2012 and 2013 are now supported!

This means all of the new VS 2012/3 features that you’ve been waiting to use are now go.  I know items such as previewing files and source control enhancements

Download link : http://www.microsoft.com/en-us/download/details.aspx?id=30169

You’ll need to uninstall the previous version if you’ve already got it installed, as the installer won’t perform an upgrade (at this time, I also uninstalled Visual Studio 2010, as I only had that version installed for MP Authoring, everything else I’m doing has since moved on to more recent versions of VS).

Some of the notable changes are (in no particular order):

  • Support for Visual Studio 2012 and 2013
  • Language packs other than ENU are now built correctly,
  • Picker dialog boxes now traverse Project references properly, as does the Find All references tool.
  • No more access denied error messages when trying to build a 2012 MP that has been auto deployed to a management group.
  • Import wizard can now resolve MP references inside MP bundles
  • Snippet Editor no longer displays duplicate columns when an ID has been used multiple times in the snippet template.
  • Monitor templates now set Auto resolve to “True” by default and Severity to “MatchMonitorHealth”
  • MP Context Parameter replacements can now be used in Module parameters that have non-string data types.
  • MP Simulator can now simulate Agent Task workflows
  • MPBA “Resolve” option now works correctly with generated fragment files

They’ve also changed the Project templates to make it a bit more explicit which versions of Operations Manager each project type supports, and added 2012 SP1 and 2012 R2 explicitly as new project types.  Sadly still no xml  templates provided for datasource, monitortype, probe or condition detection modules.

VSAE Project Types

Full change list: http://social.technet.microsoft.com/wiki/contents/articles/20357.whats-new-in-visual-studio-authoring-extensions-2013.aspx

Remaining Issues:

  • MPBA Tool still doesn’t resolve Alert Strings where the default Language is not the workstation language (switch your machines language and all the missing alert string messages will disappear)
  • No intellisense support when configuring module parameters outside of Template groups (painful when creating custom modules).
  • Go To Definition doesn’t function if you are already previewing an existing item (essentially only works when called from fragments in your projects).
  • Informational schema errors are still logged when you configure module parameters outside of a template group.
  • When creating template snippets, intellisense still only provides snippet specific options, which can make authoring snippets challenging.

Happy Authoring!

Posted in Computing | Tagged: , , , , , , | 5 Comments »

Switch a Visual Studio Authoring Extension MP project between SCOM 2007 and SCOM 2012

Posted by Matthew on February 8, 2013

A couple of times now I’ve started a new MP project in Visual Studio using the Operations Manager Visual Studio Authoring Extensions, and about 45 minutes into my development realized I’ve created the wrong project type.  There have also been a few occasions where requirements change and it makes more sense to change the project from a Core Monitoring (2007) management pack into a 2012 “add-on” pack.

It’s actually quite a simple change to make, providing you know which files to edit.

Project File

  1. Open the .mpproj file that represents your management pack project (NOT the solution file).
  2. Locate the MPFrameworkVersion element in the first PropertyGroup section, and modify it according to the version you want the project to build:
    1. For 2012, use <MpFrameworkVersion>v7.0</MpFrameworkVersion>
    2. For 2007, use <MpFrameworkVersion>v6.1</MpFrameworkVersion>
  3. If downgrading from 2012 to 2007, under the ItemGroup element containing the MP Reference elements, remove any references to MPs that don’t exist in 2007.
  4. Save the file.

Management Pack Fragments

Next, you’ll need to update the SchemaVersion attribute of the ManagementPackFragment element at the start of every .mpx file in your project.  The good news is that you can just use Visual Studio’s find and replace option to replace this in all files in the solution simultaneously!

  1. Open the Project/solution in visual studio.
  2. Open one of the .mpx files, and hit Ctrl+H to open the “Find and Replace” window.
  3. To go from 2007 to 2012, in the “find what” box, enter <ManagementPackFragment SchemaVersion=”1.0″ and in “replace with” enter <ManagementPackFragment SchemaVersion=”2.0″
  4. Otherwise, do the reverse and in the “find what” box, enter <ManagementPackFragment SchemaVersion=”2.0″and in “replace with” enter <ManagementPackFragment SchemaVersion=”1.0″
  5. Make sure “Look in” is set to Current Project.
  6. You can now either click “Find Next” and “Replace” repeatedly if you aren’t comfortable letting VS just replace everything, or hit “Replace All

Save all files in your project, and attempt a build.  If you get any build errors relating to Management pack references or Schema Versions, just look for the reference/file that you missed and update the values.

Needless to say, you should always think carefully before you do this, and thoroughly test the MP to ensure that there aren’t any side effects from now using earlier/later versions of the default SCOM management packs.  Going from 2007 -> 2012 is safer as 2012 is backwards compatible and will support your previous module configurations.

Hope that helps!

Posted in Computing | Tagged: , , , , , | 1 Comment »

Referencing MPBs and other SCOM 2012 Management Packs using Visual Studio Authoring Extensions

Posted by Matthew on January 29, 2013

One of the great features of the SCOM Visual Studio Authoring Extension is the ability to easily view the definitions of content in sealed management packs you are referencing.  Sometimes (especially if you are exporting a MP from the SCOM management group for further customization) you’ll need to reference an MP that is installed in your SCOM management group but that isn’t included in the VSAE package, or isn’t available online.  Most likely this is a system MP or a MP that’s only available as part of a bundle (If your MP contains 2012 dashboards, it’s probably got a reference to Microsoft.SystemCenter.Visualization.Library or Microsoft.SystemCenter.Visualization.Internal).  How can you reference these?

Well if you’ve still got your SCOM installation media to hand you can find all of the MPs imported at installation in the ManagementPacks folder.  This can be great if you’ve got a required reference, or even just want to have a look at how the product group implemented some piece of functionality!

Note however that some of the MPs are wrapped up in MPBs (Management pack bundles).  It’s still perfectly possible to reference these in your project:

  1. Make sure you’re editing a 2012 MP project.  If you’ve chosen an Operations Manager Core MP, you’ll be unable to add a reference to MPBs as they didn’t exist at that time.
  2. In Solution Explorer (by default on the right panel) right click on “References”  and choose “Add References from Management Pack bundle…”
  3. Browse to and select your file (Lets say Microsoft.SystemCenter.Visualization.Internal.mpb from the SCOM 2012 install media)
  4. You’ll be then given a dialog detailing the MP(s) that were added from the bundle into the project.
  5. Now you can view the definition of any module you need from that MP via the Management Pack browser (View -> Management Pack Browser) or by selecting the module in-code and hitting F12 (go to definition hotkey).

Pretty simple procedure!  If you have accidentally created your MP project as a Operations Manager Core (2007) MP, you can modify your solution files to upgrade it.  Think carefully about doing this however – would you be better off including the extra functionality you need in an additional “feature” pack?  If you decide to go ahead and upgrade/downgrade, you can follow the steps in this blogpost.

Oh and one final tip: If you don’t want to find yourself having to constantly keep hold of the 2012 install media, you can just copy the MPs into the VSAE installation folder (they will now automatically be resolved when referenced).  You’ll find them in Program Files (x86)\System Center 2012 Visual Studio Authoring Extensions\References\OM2012.  I’d advise not to overwrite any of the existing MPs (you’ll get some conflicts) to be safe.  Also, be careful about copying updated versions of MPs that come from CU’s/SPs into this location, unless you don’t mind all the MPs you create requiring that updated version of the MP in future.  Not all customers have/can install the latest patches..

Hope that helps!

Posted in Computing | Tagged: , , , | Leave a Comment »

SCOM 2012 – Update Run As Account distribution via Powershell

Posted by Matthew on January 25, 2013

If you’ve ever had to use a Run as Profile with a Run As Account set to “Most Secure” that is used on a large number of agents, you’re probably used to seeing a lot of “System Center Management Health Service Credentials Not Found Alert Message” alerts.

Individually this isn’t too much work to manage, but when you get 120 of these come in at once (new MP imported in a large environment) it’s pretty painful to add them all manually via the console.  So below is a quick script to do this via powershell.

warningWarning: This only works with SCOM 2012.  If you want to do this for SCOM 2007, you can follow Andreas Zuckerhut’s post here –  but be warned, you don’t have the utility class used below so you need to be comfortable with your powershell!

In my example below I only had alerts open for one particular Run As account.  If you have multiple different accounts that you need to add systems to, please make sure you use some additional filtering on the Get-ScomAlerts cmdlet.

And yes I know this could be one horrible one-liner, but that wouldn’t be very nice to read 🙂

$alerts = Get-SCOMAlert -ResolutionState 0 -Name "System Center Management Health Service Credentials Not Found Alert Message"
$runas = Get-SCOMRunAsAccount  -Name "RunasAccountNameGoeshere"
$monitoringObjects = $alerts | % {get-ScomMonitoringObject -id $_.MonitoringObjectId}
$monitoringObjects += (Get-SCOMRunAsDistribution $runas).securedistribution
$managementGroup = Get-ScomManagementGroup
[Microsoft.SystemCenter.OperationsManagerV10.Commands.OMV10Utility]::ApproveRunasAccountForDistribution($managementGroup, $runas, $monitoringObjects)

After that, you can check the results by running (Get-SCOMRunAsDistribution $runas).securedistribution or checking in the SCOM Console under the Run As Account’s distribution tab.

Hope that helps!

Posted in Computing | Tagged: , | 1 Comment »

SCOM 2012 – Manually triggering a Discovery via the SCOM Console (On Demand Discovery)

Posted by Matthew on January 24, 2013

We’ve all been there – you’ve just added a new role to a server, installed a new component or got around to updating an expired licence, and now you’ve got to sit there and wait until the next discovery cycle occurs (potentially up to 24 hours in some cases).

However, Operations Manager 2012 includes a nice little Agent task you can run on a health service to manually trigger a discovery attempt!  I haven’t found much documentation for the task or the module (it’s not composite, and I haven’t yet deconstructed it) but I’ve used it a couple of times now and it always works a treat!


Disclaimer: I don’t know exactly how this task interacts with discoveries that don’t feature Probe modules expecting a trigger item somewhere in their cooked down chain.  If your Discovery is based on the presence of a Windows event, this may not function as expected.   Discoveries based on schedules (normally via System.Discovery.Scheduler) should function fine.

The high level steps are:

  1. Locate the “Trigger On Demand Discovery Task” for the health service you need to run the discovery from.
  2. Find the DiscoveryId so that SCOM knows which discovery to run.
  3. Find the TargetInstanceId so SCOM knows which specific object the discovery should run for.
  4. Run the task, overriding with the appropriate IDs.

Run the Task against the appropriate Health Service

So, how do I run this task?  Well you’ll find it targeted at health Services, so the Agent Health State or Management Servers State views under the Operations Manager folder will do the trick.

Operations Manager Agent Views

Select the Agent/Management server that you want the discovery to be triggered on (make sure you select the state view on the right and not the “from health service watcher” items) and you should see the task show up in the task pane on the far right.

On Demand Discovery Task

Don’t run it yet though, because now comes the only tricky part – you MUST specify which discovery the agent should trigger, and which target instance that discovery should be run for.  These have to be specified as the internal GUID that SCOM assigns to entities.  What’s the best way to retrieve that you ask?  Powershell of course!


In order to get your DiscoveryId you can use the Get-ScomDiscovery cmdlet with the -Displayname parameter, or if you know it the –Name parameter.  The Displayname is what displays in the SCOM console in the “Object Discoveries” section of the Authoring pane.  The Name is whatever name the MP Author gave the discovery when writing the management pack.

Either way, once you’ve run that cmdlet and found your discovery you want the guid displayed in the Id property.  It will look something along the lines of: 94d82cfb-2644-97ab-b42c-f0438d77b90a


Now to get your TargetInstanceId guid we need to find the unique ID that’s been assigned to the particular instance of the object that your discovery targets.  Most times this is probably going to be a windows computer or server object.  In order to find this we can use the Get-ScomClass and Get-ScomClassInstance cmdlets. If you are comfortable getting this, skip head to the next section (PROTip: The class id is available in the .Target.Id property of the discovery object you returned above).

First we need to get the Class that the discovery targets .  In the authoring pane of the SCOM console where you got the discovery name from, note down the value in the “Target” column.

Next, load up the Discovered Inventory view in the Monitoring Pane, and change the Target Type (via the task pane on the right) to your class you got from the Discovery target column.  Note down the displayname of the object that you want to run the discovery against (for example, a particular computer name).  Finally, run the below command

Get-SCOMClass -DisplayName “Discovery Target name goes here” | Get-SCOMClassInstance -Displayname “Object Displayname goes here” | fl Displayname,Id

This will display another guid, which is your TargetInstanceId.  Almost there!

Override and Run the Task

Head back to the Agent/Management server view, select your health service that you want the discovery to run on, and click on the task.  You’ll see the following screen:

On Demand Discovery Options

Hit the Override button, and in the “New Value” column enter in your TargetInstanceId and DiscoveryId guids that you found in the previous steps.  Hit Override, and then back on the run task screen click Run.  The discovery request will launch and should complete fairly quickly (faster than your discovery will at any rate.  Task completion doesn’t mean the discovery has finished, merely that the trigger request was sent successfully).  If you see any errors listed in the task results pane, then it’s likely you’ve got the wrong guid somewhere.

And that’s it.  Hopefully after a short amount of time your class objects should start to appear in SCOM.  If your discovery finds the root of a hierarchy of objects, you don’t need to submit a trigger for each subsequent object – those will be discovered immediately as normal once your root object is discovered.

Hope that helps you having to wait around for your latest installed component to show up in SCOM, and get back to monitoring!

Posted in Computing | Tagged: , | 2 Comments »

Deleting a SCOM MP which the Microsoft.SystemCenter.SecureReferenceOverride MP depends upon

Posted by Matthew on December 14, 2012

If you’ve ever imported a management pack which contained a Run As profile into SCOM, you will know the pain that awaits you if you ever need to delete it (most commonly when the latest version of the MP doesn’t support an upgrade via import).

The most discussed option I’ve seen for dealing with this is to:

  1. Delete the offending Run As Account(s) from the Run as Profile.
  2. Export the Microsoft.SystemCenter.SecureReferenceOverride MP
  3. Remove the reference that gets left behind when you delete a Run As Profile configuration from the raw xml.
  4. Increment the version number (again in the xml)
  5. Reimport it.

However, there is another way that doesn’t rely on you having to import/export or having to touch any xml, just a bit of Powershell!  The below is for 2012, but the same principle applies for 2007, just use the appropriate cmdlets/methods.

  1. Open a powershell session with the Operations Manager module/snappin loaded.
  2. Type: $MP = Get-SCOMManagementpack -Name Microsoft.SystemCenter.SecureReferenceOverride
  3. Now we can view the referenced management packs by typing $MP.References
  4. From the list of items in the Key column, note down the alias of your MP you wish to delete.  If you are having trouble finding it, the Value column will list the full ID of the MP.
  5. Now that we know the MP alias, we can remove it from the Secure Reference MP by typing $MP.References.Remove(“yourMPAliasGoesHere“)
  6. Now we can verify the MP is valid by entering $MP.Verify()  to ensure there are no orphaned overrides, etc.
  7. Finally, we can save our changes by typing: $MP.AcceptChanges()


If you don’t follow step 7, you won’t actually commit your changes to the MP.  Once this is done, give the SCOM management group a chance to catch up (you might have to wait a minute and then refresh your console).  When you now check the Dependencies tab of the MP you want to delete, you’ll see that the SecureReferenceOverride MP is no longer listed and you’ll be able to remove your MP.



Hope that helps!

Posted in Computing | Tagged: , , , , | 7 Comments »

SCOM : Revisiting the DayTimeExpression option of System.ExpressionFilter

Posted by Matthew on August 17, 2012

You may remember a few weeks ago I did an article on the flexibility and power of the System.ExpressionFilter. In that post I commented that I wouldn’t go into any depth on the DayTimeExpression expression type as you could accomplish most of the day/time comparison tasks with a System.ScheduleFilter instead.  Well, no sooner than writing that, I found myself authoring a workflow where that was not the case.

The customer was looking for a three state unit monitor, that had some complex health behavior:

  1. If the result of a scheduled Job was successful, switch to a Healthy state.
  2. If The result of the job is a Failure, switch to a Critical state.
  3. After 15 Minutes since the job has started, if it is not Successful or Failed, switch to a Warning State.
    1. After 30 minutes, if it has still not succeeded, go into a critical State.

Normally this kind of complex logic would be included as part of a custom script, however in this case we were using a built-in module to perform the query of our Job status, so it seemed very inefficient to then have to go into a script just to calculate the time differential (especially if due to the return code, the time calculation is irrelevant).

Why couldn’t we use a System.ScheduleFilter?

The normal approach when doing time comparisons is to use a System.ScheduleFilter to block the workflow from posting items to the appropriate health states in a MonitorType.  However, here we had a combination approach where we needed to use boolean AND and OR operators, which is something that the ScheduleFilter cannot provide, and the SCOM workflow engine only allows a single workflow branch to lead to a given Health State.

Our module didn’t return the current time as an additional property, so in order to get the current date I decided to just use the timestamp found on every Dataitem in a SCOM workflow.  This required a little bit of XPath knowledge however, as nearly all the XPath Query examples I’ve seen documented with SCOM are for accessing the child properties of a DataItem, not its own attributes.

So without further ado here are the Expressions I eventually came up with..

Healthy Expression

        <XPathQuery Type="String">//*[local-name()="StdOut"]

Nothing groundbreaking here, if at any time the result code matches the regular expression “SU” then we know our job succeeded (those of you who have done cross-platform monitoring with SCOM may recognize the XPath Query i’m using, however that’s not really the focus of this article).

Warning Filter

            <XPathQuery Type="String">//*[local-name()="StdOut"]
            <XPathQuery Type="DateTime">./@time</ValueExpression>

The first part of our Warning expression (lines 2-9) is just checking that the Job status code is not one which instantly pushes us into another health state (remember, a return code of Failure is an automatic critical health state, regardless of time).  Lines 12-20 are what we are interested in here.  We’ve specified that we want to do a DayTime comparison, and we are going to compare the “./@time” XPath query against a time range.  I’ll come back to the XPath in a second, first let me explain the rest of the parameters.

  • StartTime is the start of the time range, specified in Seconds from Midnight.
  • EndTime is the end of the time range, specified in Seconds from Midnight.
  • Days is the usual Days of the week mask used by SCOM.  To specify which days are in the range, simply add up the corresponding values from the table below (so Mon through Friday is 62).
    • Sunday = 1
    • Monday = 2
    • Tuesday = 4
    • Wednesday = 8
    • Thursday = 16
    • Friday = 32
    • Saturday = 64
  • InRange is a boolean operator that specifies if this expression is TRUE if the input time is inside, or outside the time range specified.

So what i’ve done here is specified that the warning filter will match only for the 15-30 minute period after the job has started (remember this is a scheduled job, so it’s the same time each day), and only if the status code is not SU (Healthy) or FA (Critical).

The XPath Query on line 14 of “./@time” is a little weird, and is to do with the implementation of XPath in the ExpressionFilter module.  Essentially it’s already scoped to look at the elements within a workflow Data item, so we have to explicitly go back up the tree and say we want the Time attribute of the DataItem itself.  The value you use to perform your date time calculation must be in the DateTime format (2012-08-17T14:23:16.291Z) for this to succeed.  Thankfully the Time value on DataItems always is.

Critical Filter

                <XPathQuery Type="DateTime">./@time</XPathQuery>

And finally, we have the Critical health state Expression filter.  This uses an OR condition to short-circuit and allow us to instantly go to a critical health state if the job result is a failure without having to check the time.  Otherwise, we carry on and evaluate the AND expression and make sure that the job result isn’t a Success code and we are now outside our 30 minute window since the job started.  Note that the InRange parameter on line 30 is now false, so that the expression will only evaluate to true if the current time is outside our time window of 0-30 minutes since the job started.

And there we have it!  Unfortunately the SCOM 2007 Authoring console doesn’t allow you to use the wizard when trying to use DayTime/Exists expressions, so you’ll need to hit the “edit” button and get your hands dirty with XML yourself.  My suggestion would be to create your logic using the wizard with a placeholder line in place where you want your DayTimeExpression, and then to edit it by hand to include that line afterwards.  Just don’t try to open your ExpressionFilter in the wizard using the “configure” button afterwards, as it will break your expression.  You’ll have to keep using the edit button and editing it by hand.

As always, I hope that helped someone out, and feel free to post a comment if I haven’t made anything clear or you have practical example you’d like to work through.

Posted in Computing | Tagged: , , , , | 1 Comment »

The SCOM Unsung Hero – Using the System.ExpressionFilter Module

Posted by Matthew on July 3, 2012

I’ve decided to write a blogpost as tribute to the unsung hero of Operations Manager, the one module that gets used in virtually every workflow but is rarely the focus of attention.  Without this module cookdown would be mostly impossible and whether you are creating your own modules or using the Wizards in the SCOM console/ Authoring Console / Visio Extension, it’s always there to assist you.  I’m talking of course about the System.ExpressionFilter.

What is it?

The System.ExpressionFilter is a condition detection module and sibling to the System.LogicalSet.ExpressionFilter.  It’s function is to examine items in the operations manager workflow and either pass them on or remove (drop) them from the workflow.  If no items matched the filter at all, the workflow terminates.

In only has a single configuration parameter, but it’s a very powerful one, as it accepts the ExpressionType configuration.  In reality most of this article will be talking about the syntax of ExpressionType.

It’s also a very lightweight module, and should be used whenever you need to do any kind of determination or filtering.  Whenever you are using a service monitor, event log reader, SNMP probe, the parameters you are filling in are nearly all being sent to this module not the data source!

When should you use it?

  • 90% of the time, if you want to implement cookdown for your workflow, you’ll be using this module.
  • You want to add further filtering onto an existing rule in an unsealed management pack.
  • You want to perform filtering of any kind of data.
  • You are implementing a MonitorType (not the same thing as a monitor)


The System.ExpressionFilter only takes a single parameter, of type ExpressionType.  This is an inbuilt data type in SCOM that allows you to specify some kind of evaluation criteria that operations manager will run on every item sent to the module.  It should be noted that each item will be evaluated individually (if you need to do them as a linked set, see the System.LogicalSet.ExpressionFilter).

Expression filters are very complex types.  They support nested expressions using the And and Or group constructions, and you also have access to NOT.  Below i’ll give you a sample of the type you are going to use 75% of the time..

 SimpleExpression – Compare output of PropertyBagScript to value

                     <XPathQuery Type="String">Property[@Name='Status']</XPathQuery>
                     <Value Type="String">Healthy</Value>

This is the most common filter you’ll use in SCOM. It’s purpose is to compare the output of a module (in this case, a PropertyBagScript value called “Status”) with a value. This can either be a static value, or one passed in to the workflow as part of a $Config/$ parameter.

We start off opening with an <Expression> tag, which is always the starting and end tag for each evaluation.  Then we’ve stated on line 2 that we want to use a SimpleExpression, which just does a straight comparison between two items (the first ValueExpression and Second ValueExpression).  The valid operators for use with a SimpleExpression are:

  • Equal
  • NotEqual
  • Greater
  • Less
  • GreaterEqual
  • LessEqual

Note that when specifying the operators they are case-sensitive, so they need to be entered exactly as above.  Finally our ValueExpressions (the left and right side of the comparison) are either of type Value or XPathQuery.  You use Value when using either static values or $Config/$ or $Target/$ parameters, and XPathQuery when you want to examine the output of the previous module.

Finally you’ll note that both Value and XPathQuery have a Type attribute – SCOM will attempt to cast the data into that type before performing the query.  So if you are comparing two numbers make sure you have the type set to Integer, otherwise it will attempt to calculate if the ‘letter’ 3 is greater than ’86’, which probably isn’t your intent.  The available types are:

  • Boolean
  • Integer
  • UnsignedInteger
  • Double
  • Duration
  • DateTime
  • String

The SCOM 2007 Authoring console will by default always set the type to “String”, so keep an eye on that.  Also, if the type conversion fails, SCOM is going to throw an error into the event log and the item will not be processed.

 Logical Operators – And Or and NOT

You can group and reverse the result of expressions using the <And>, <Or> and <Not> expression elements.  How they are implemented is a wrapper for your <Expression></Expression> tag that themselves are expressions!  Sounds complicated, but with an example it becomes much clearer:

               <!-- First expression here -->
               <!-- Second expression here -->

So above we have two expressions that most both evaluate to true in order for the whole outer expression to be true.  The construct is the same for <Or> and <Not>, and you can even nest groups in groups for truly powerful expressions!  <Not> may only contain a single <Expression> (that of course, could be a group!), but <And> and <Or> can contain two or more expressions if you need to group on multiple items.

One important thing to note is that groups support short circuiting.  What this means is that if we examine one expression in an And/Or group and we can deduce from the first expression that the whole thing will be true or false (perhaps we are using And and the first item is False) then SCOM won’t bother to evaluate the second expression, saving time and performance.  So nest away!

Exists – Does my data item contain a property?

Much like a type conversion failure, if an XPathQuery value (as part of a SimpleExpression) doesn’t resolve to anything, say because that data item doesn’t contain an expected property, then the Expression will fail and that item will be dropped.  So if you are dealing with a property that doesn’t always show up (regardless of if it has a value, SCOM can deal with empty/null properties) you’d be wise to use the <Exists> expression.  It’s also useful if you don’t care about the value of a property, merely if it exists or not.

                             <XPathQuery Type="Integer">Params/Param[1]</XPathQuery>

Here we are checking to see if an event log entry has at least 1 parameter.  You can also use <Value> instead of XPathQuery if you wanted to check to see if a $Config/$ parameter exists so you know if an optional parameter on your module has been specified or not.

If you need to check the result of a value that may or may not exist, you’ll want to take advantage of the short circuiting of thegroup by combining an exists check with your value check.  Make sure the exists expression is first in the group, and that way if the property doesn’t exist SCOM won’t bother trying to read the property (which, as stated above will cause the module to fail).  I’ve included an example of this below!

                             <XPathQuery Type="Integer">Params/Param[1]</XPathQuery>
                             <XPathQuery Type="Integer">Params/Param[1]</XPathQuery>
                             <Value Type="Integer">Params/Params[1]</Value>

Regular Expressions

If you want to do powerful (or simple!) regular expression comparisons, then the ExpressionFilter has got you covered.  I’m not going to go into a huge amount of depth on this one, because by now you should be getting an idea of how this works.  I’ll just show you the syntax and then list the regex pattern styles you can use.

                     <XPathQuery Type="String">EventPublisher</XPathQuery>

ValueExpression is the same as with a SimpleExpression, so you can compare against incoming data items on the workflow or input parameters.  Operator allows you to specify what type of matching you’d like to perform:

  • MatchesWildcard– Simple wildcard matching using the below wildcards
    • # – Matches 0-9
    • ?  – Any single character
    • * – any sequence of characters
    • \ – escapes any of the above
  • ContainsSubstring – Standard wildcard containment, if this exists anywhere in the string (implemented as ‘^.*pattern.*$’)
  • MatchesRegularExpression – Full regular expression via .Net (Note this is not the same as Group Calculation modules, which use Perl).
  • DoesNotMatchWildcard – Inverse of MatchesWildcard.
  • DoesNotContainSubstring – Inverse of ContainsSubstring
  • DoesNotMatchRegularExpression – Inverse of DoesNotMatchRegularExpression

Finally, Pattern allows you to specify your regular expression.  Note that you don’t need to wrap this in “” or ”.  Obviously you can nest these in groups if you need to perform multiple regular expressions or

Oh, and if you have any questions on Regular expressions, ask Pete Zerger.  He loves regular expressions (you can tell him I sent you ;))!


Finally we have , which is used to determine if a datetime is inside or outside a range.  This one is less used, as we have another built in module (System.ScheduleFilter) which we can use for this kind of comparison that is a bit more powerful, and can use the current time of the workflow, rather than having to get that value from your data item.  It only allows for Day (Sun-Saturday) and time comparisons.  There’s no ability to specify exceptions or different windows for each day either, something the ScheduleFilter does implement.

I’m not going to detail into it here, but you can find documentation for it on MSDN at the following link.

Example Scenarios

Essentially, any time you want to filter or compare a value you can use this module!  Normally you’ll be using it to either manage output from a datasource or further scope a rule so that it only alerts when it meets your extra criteria.

The other time you’ll commonly use it is when implementing your own MonitorType.  You’ll add one System.ExpressionFilter for each health state the monitortype provides, and then set the filters up so that they use mutually exclusive values to determine what health state your system is in.  I won’t drag this post out any further with examples however, as there are plenty on the web of this already and they are always quite specific to the scenario.


MSDN documentation – http://msdn.microsoft.com/en-us/library/ee692979.aspx

Hope this proved helpful, and as always if you have any specific questions feel free to post a comment with what you need and i’ll see what I can do!

(Sorry Pete!)

Posted in Computing | Tagged: , , , , | 4 Comments »