Neophyte
Yes, 1234 in the expression above would be the whole name. And the 5 would be the value of the .count datapoint you want to threshold on. ge() means greater than or equal to. This assumes the datapoint is called "count".
I think the problem with this is that the eq() function is looking for numbers, not a string. So it may always return 0. If that's the case, we may need to look into simplifying either the wildvalue (first part of discovery line before the ##) or the wildalias (second part of discovery line, the instance display name) down to a number.
In your name above is 1069 enough to uniquely identify that one instance? Or is it possible to have a 1069 with two different strings in the name before the 1069?
For example, is it possible for these both to exist? Or will "1069" always be paired with "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin|Microsoft-Windows-TerminalServices-RemoteConnectionManager|2"
"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin|Microsoft-Windows-TerminalServices-RemoteConnectionManager|2|1069"
"Something else entirely|2|1069"
Neophyte1069 will always be there, this logic builds the instance name for this code using the following naming scheme.
Log Name | Provider logging the error | Error level (2 = error, 1 = critical, 3 = warning) | Event ID
So in theory, yes another log or provider could output a 1069 as well.
NeophyteTesting this out...
ProfessorIs the count alert threshold you want for all of these instances, all going to be the same? Like you want to alert if 20 different event id counts go >= 2? Or could some of them be 5 counts, or 10 counts, etc?
Also if the count is just going to be 1, I would just look to use EventSources for alerting.
NeophyteNo, they may vary, and 99% of the instances we have just for informational purposes but don't want alarming on them.
Right now this was built to feed data into other systems, but we just recently had an issue where management needs us to alert of this one particular item which is causing outages for a client which led them to asking how I can set an alarm on this particular item (instance).
I haven't used EventSource before, how would that differ?
Also, we don't currently own the Event Log features of LM as we haven't really had a need for it before, so any of those features, or native event log details I don't think I can get as we don't own that module. So to get them out of this major incident, they asked how I could accomplish this with the data we do have in the system now.
NeophyteReferencing my shared screenshot, I have the Alert Threshold box/data empty right now. I'd think I would need to set that, but in the code you shared which I changed the instance name on, it seems to be defined there. So how would that work with the "ge(count,1)),1,0" already in the groovy code?
NeophyteNevermind, I get it. If the count of that instance is over 1, then i'd be outputting a 1, if not a 0. So I'd need to configure the alert threshold still and just have it trigger when it spots a 1 or higher. Sorry, little slow this am. :)