Export (0) Print
Expand All

Expressions

Updated: November 1, 2013

Applies To: System Center 2012 - Operations Manager, System Center 2012 R2 Operations Manager, System Center 2012 SP1 - Operations Manager

Wizards for creating monitors and rules will often require you to enter an expression that specifies criteria for the data being collected. The monitor or rule will only apply if the expression is true.

For example, you might have a rule that creates an alert for a particular event. You don’t want an alert for every single event that writes to the event log, so you specify the event number and event source in the expression. The rule will analyze all events that are written to the event log, but it will only generate an alert for those events with the specified source and number.

An expression may be simple with only a single criterion, or it may be a compound expression with multiple criteria and complex logic. Most expressions that you create will have only one or two criteria with very few using complex logic.

The syntax that you use for the expression will be different for different kinds of data sources. For some data source, you will be able to select criteria for a dialog box which keeps you from having to understand the underlying syntax. For other data sources, you will have to know the appropriate syntax and type it in. The following sections provide you with the details of the criteria for each data source.

Criteria Syntax

A single piece of criteria is comprised of a Parameter Name, an Operator, and a Value. Each of these is described in detail in the following sections.

Parameter Name

The parameter name specifies a parameter from the data source for the rule or monitor. The syntax of the parameter name will be different depending on the type of data being collected. The syntax of the parameter name will be different depending on the type of data being collected.

The sections below provide the parameter name syntax for different kinds of data sources.

Windows Events

Windows events provide a prompt in the expression dialog box to select individual properties so you will typically not have to understand the actual syntax. The list of properties with their description is at Windows Events.

Event Description is not included in the dropdown list for property name. It can be used by typing in EventDescription. Before using Event Description though, you should verify whether the information that you are using in the description is available in parameters. Event descriptions are often made up of standard text with unique information included through parameters. Parameters are more efficient that the full description since they contain a specific piece of information.

Text Logs

Params/Param[1]Params/Param[#]

WMI Events

Collection[@Name='TargetInstance']/Property[@Name='Caption']

Syslog Events

Syslog Events do not provide a prompt for the parameter name, so you need to type it in using the appropriate syntax. The syntax for the properties of a syslog event is simply the name of the property. These properties are listed in Syslog Events.

SNMP Events

SnmpVarBinds/SnmpVarBind/ElementNameSnmpVarBinds/SnmpVarBind[#]/ElementNameSnmpVarBinds/SnmpVarBind[OID="OID"]/ElementName

Scripts

Property[@Name="PropertyName"]

Operator

The operator specifies the comparison that will be performed between the value from the data property specified in Parameter Name and the value specified in Value. Possible values are shown in the following table.

 

Operator Description

Equals

The string or number specified in the data is exactly equal to the string or number specified in Value. If this is a string value, the comparison is not case sensitive.

Does not equal

The string or number specified in the data is not exactly equal to the string or number specified in Value. If this is a string value, the comparison is not case sensitive.

Greater than

The value in the data is greater than the number specified in Value.

Greater than or equal to

The value in the data is greater than or equal to the number specified in Value.

Less than

The value in the data is less than the number specified in Value.

Less than or equal to

The value in the data is less than or equal to the number specified in Value.

Contains

The string specified in Value appears somewhere in the data.

Does not contain

The string specified in Value does not appear somewhere in the data.

Matches wildcard

The string specified in Value matches the string including wildcard. The wildcard character is * and represents any number of characters.

Does not match wildcard

The string specified in Value does not match the string including wildcard. The wildcard character is * and represents any number of characters.

Matches regular expression

The string in the data matches the regular expression specified in Value.

Does not match regular expression

The string in the data does not match the regular expression specified in Value.

Value

The value can be specific text or a number typed into the Value field. For example, a particular event might be defined by its source and number. These are both constant values that can be typed into the Value field.

A value can also come from a property on the target object. Any property on the target object or on any of the object’s parents can be used. You can view a list of the properties and their values for any object by viewing the object in the Discovered Inventory view.

Target properties have different values for different objects. For example, you might use Logical Disk (Server) as a target and require the total size of the disk in the criteria. Logical disks have a property called Size (Mbytes) that stores the total size of the disk. The value of this property will be different for different disks in the management group. When you use a target variable for the value, it will be evaluated separately for each object.

You can select a target property by clicking the ellipse button on the right of the criteria line. This will display a list of all available properties for the object that you selected for the target and that objects parents. If you select one of these properties, the appropriate target variable will be added to the criteria.

Examples

Windows Events

The following expression identifies a Windows event with a source of Contoso and an event number of 100.

 

Parameter Name Operator Value

AND group (all of these are true)

Event ID

Equals

100

Event Source

Equals

Contoso

The following expression identifies a Windows event with a source of Contoso, an event number of 100, and the word “Error” in parameter 1.

 

Parameter Name Operator Value

AND group (all of these are true)

Event ID

Equals

100

Event Source

Equals

Contoso

Parameter 1

Equals

Error

The following expression identifies a Windows event with a source of Contoso, an event number of 100, and the word “Error” anywhere in the description.

 

Parameter Name Operator Value

AND group (all of these are true)

Event ID

Equals

100

Event Source

Equals

Contoso

EventDescription

Contains

Error

Text Logs

The following expression identifies an entry in a generic text log that contains the word “Error”.

 

Parameter Name Operator Value

Params/Param[1]

Contains

Error

The following expression identifies an entry in a generic csv text log that contains the word “Error” in the third field.

 

Parameter Name Operator Value

Params/Param[3]

Equals

Error

Scripts

The following expression identifies a numeric value from a script called “PerfValue” that is between 10 and 20.

 

Parameter Name Operator Value

AND group (all of these are true)

Property[@Name="PerfValue"]

Greater than

10

Property[@Name="PerfValue"]

Less than

20

-----
For additional resources, see Information and Support for System Center 2012.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft