During the course of authoring a custom monitor for a customer, I had taken some exported code around an expression filter from 2012, dropped it into my XML with the 2007 schema and promptly received an error when trying to open the code with the 2007 R2 Authoring console. I didn’t believe the schema differences between 2007 and 2012 impacted the ExpressionFilter, so this took me by surprise. I did a quick Bing search on the System.ExpressionFilter 2012 and it yielded the following result:
http://msdn.microsoft.com/en-us/library/jj129836.aspx
Whoa – where did that come from? Being optional parameters, I hadn’t as of yet noticed these were around. In order to play with these, I created an MP in the 2007 R2 Authoring console that uses a Scheduler (set to 20 seconds), a PS Property Bag Probe (checks for c:\flag.txt and returns True if the file is there) and the System.ExpressionFilter that is configured to watch for the value of True in the property bag. Since this is the 2007 schema, the MatchCount, SampleCount and WithinSeconds parameters are not specified. Upon import, I would expect any machine (once it receives the MP) to raise an alert if the c:\flag.txt file exists. So, I create this file on one of my test machines and import the MP.
Exactly as expected. Upon seeing the flag file, the dev machine raised an alert.
Now, I export the MP from my SCOM 2012 environment and compare the code. The code is still exactly the same, so, by default, the tags are not automatically inserted. Interesting, since my other code I was attempting to copy and paste actually did contain the MatchCount tag.
<ConditionDetection ID=”Filter” TypeID=”System!System.ExpressionFilter”>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”String”>Property[@Name=’Result’]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”String”>True</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</ConditionDetection>
Now, I open the code with the Visual Studio authoring extensions (making sure to convert it to OM 2012 schema along the way) to play with the new tags. Taking directly from the MSDN page, I insert the following:
<ConditionDetection ID=”Filter” TypeID=”System!System.ExpressionFilter”>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type=”String”>Property[@Name=’Result’]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type=”String”>True</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<SuppressionSettings>
<MatchCount>5</MatchCount>
<SampleCount>10</SampleCount>
</SuppressionSettings>
</ConditionDetection>
Now, if I get 5 of these within 10 samples, I should get an alert. I add some logic to write to the EventVwr when the file is found so that I can count the samples, I save, and import the MP.
At 4, nothing:
At 5, alert:
Now, let’s test if the samples need to be consecutive. All I have to do is let a few of the Errors pop into the EventVwr, delete the file, and then re-add in time for 5 to happen within 10 minutes.
At this point, I renamed the file. About a minute or so later, I renamed the flag file back so that the script would pick it up.
Even with the gap, the rule still filed an alert (Note 9:48:49 –> 9:50:29 in the EventVwr):
This is excellent. There most definitely will still be scenarios where the Consolidator will have to be attached to the ExpressionFilter, however, the ExpressionFilter now contains functionality to handle both # of samples (MatchCount) within a period of time (WithinSeconds), and # of samples (MatchCount) with a sample set (SampleCount). This makes many of the custom authoring scenarios a little bit easier to construct.