Alert Description Variables:
For event Rules:
EventDisplayNumber (Event ID): $Data/EventDisplayNumber$
EventDescription (Description): $Data/EventDescription$
Publisher Name (Event Source): $Data/PublisherName$
EventCategory: $Data/EventCategory$
LoggingComputer: $Data/LoggingComputer$
EventLevel: $Data/EventLevel$
Channel: $Data/Channel$
UserName: $Data/UserName$
EventNumber: $Data/EventNumber$
Event Time: $Data/@time$
EventDescription (Description): $Data/EventDescription$
Publisher Name (Event Source): $Data/PublisherName$
EventCategory: $Data/EventCategory$
LoggingComputer: $Data/LoggingComputer$
EventLevel: $Data/EventLevel$
Channel: $Data/Channel$
UserName: $Data/UserName$
EventNumber: $Data/EventNumber$
Event Time: $Data/@time$
For event Monitors:
EventDisplayNumber (Event ID): $Data/Context/EventDisplayNumber$
EventDescription (Description): $Data/Context/EventDescription$
Publisher Name (Event Source): $Data/Context/PublisherName$
EventCategory: $Data/Context/EventCategory$
LoggingComputer: $Data/Context/LoggingComputer$
EventLevel: $Data/Context/EventLevel$
Channel: $Data/Context/Channel$
UserName: $Data/Context/UserName$
EventNumber: $Data/Context/EventNumber$
Event Time: $Data/Context/@time$
EventDescription (Description): $Data/Context/EventDescription$
Publisher Name (Event Source): $Data/Context/PublisherName$
EventCategory: $Data/Context/EventCategory$
LoggingComputer: $Data/Context/LoggingComputer$
EventLevel: $Data/Context/EventLevel$
Channel: $Data/Context/Channel$
UserName: $Data/Context/UserName$
EventNumber: $Data/Context/EventNumber$
Event Time: $Data/Context/@time$
For Repeating Event Monitors:
EventDisplayNumber (Event ID): $Data/Context/Context/DataItem/EventDisplayNumber$
EventDescription (Description): $Data/Context/Context/DataItem/EventDescription$
Publisher Name (Event Source): $Data/Context/Context/DataItem/PublisherName$
EventCategory: $Data/Context/Context/DataItem/EventCategory$
LoggingComputer: $Data/Context/Context/DataItem/LoggingComputer$
EventLevel: $Data/Context/Context/DataItem/EventLevel$
Channel: $Data/Context/Context/DataItem/Channel$
UserName: $Data/Context/Context/DataItem/UserName$
EventNumber: $Data/Context/Context/DataItem/EventNumber$
EventDescription (Description): $Data/Context/Context/DataItem/EventDescription$
Publisher Name (Event Source): $Data/Context/Context/DataItem/PublisherName$
EventCategory: $Data/Context/Context/DataItem/EventCategory$
LoggingComputer: $Data/Context/Context/DataItem/LoggingComputer$
EventLevel: $Data/Context/Context/DataItem/EventLevel$
Channel: $Data/Context/Context/DataItem/Channel$
UserName: $Data/Context/Context/DataItem/UserName$
EventNumber: $Data/Context/Context/DataItem/EventNumber$
Performance Threshold Monitors:
Object (Perf Object Name): $Data/Context/ObjectName$
Counter (Perf Counter Name): $Data/Context/CounterName$
Instance (Perf Instance Name): $Data/Context/InstanceName$
*Value (Perf Counter Value): $Data/Context/Value$
**Last Sampled Value $Data/Context/SampleValue$
Counter (Perf Counter Name): $Data/Context/CounterName$
Instance (Perf Instance Name): $Data/Context/InstanceName$
*Value (Perf Counter Value): $Data/Context/Value$
**Last Sampled Value $Data/Context/SampleValue$
*Value will show the actual performance value for simple and avg monitors. It will show number of samples for consecutive threshold monitors.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.
**Last Sampled Value works to show the last value evaluated in a consecutive sample value monitor.
Service Monitors:
Service Name $Data/Context/Property[@Name=’Name’]$
Service Dependencies $Data/Context/Property[@Name=’Dependencies’]$
Service Binary Path $Data/Context/Property[@Name=’BinaryPathName’]$
Service Display Name $Data/Context/Property[@Name=’DisplayName’]$
Service Description $Data/Context/Property[@Name=’Description’]$
Service Dependencies $Data/Context/Property[@Name=’Dependencies’]$
Service Binary Path $Data/Context/Property[@Name=’BinaryPathName’]$
Service Display Name $Data/Context/Property[@Name=’DisplayName’]$
Service Description $Data/Context/Property[@Name=’Description’]$
Logfile Monitors:
Logfile Directory : $Data/Context/LogFileDirectory$
Logfile name: $Data/Context/LogFileName$
String: $Data/Context/Params/Param[1]$
Logfile name: $Data/Context/LogFileName$
String: $Data/Context/Params/Param[1]$
Logfile rules:
Logfile Directory: $Data/EventData/DataItem/LogFileDirectory$
Logfile name: $Data/EventData/DataItem/LogFileName$
String: $Data/EventData/DataItem/Params/Param[1]$
Logfile name: $Data/EventData/DataItem/LogFileName$
String: $Data/EventData/DataItem/Params/Param[1]$
General:
To show the name of the Windows Computer host:
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
Notifications:
$Data/Context/DataItem/AlertId$ The AlertID GUID
$Data/Context/DataItem/AlertName$ The Alert Name
$Data/Context/DataItem/Category$ The Alert category
$Data/Context/DataItem/CreatedByMonitor$ True/False
$Data/Context/DataItem/Custom1$ CustomField1
$Data/Context/DataItem/Custom2$ CustomField2
$Data/Context/DataItem/Custom3$ CustomField3
$Data/Context/DataItem/Custom4$ CustomField4
$Data/Context/DataItem/Custom5$ CustomField5
$Data/Context/DataItem/Custom6$ CustomField6
$Data/Context/DataItem/Custom7$ CustomField7
$Data/Context/DataItem/Custom8$ CustomField8
$Data/Context/DataItem/Custom9$ CustomField9
$Data/Context/DataItem/Custom10$ CustomField10
$Data/Context/DataItem/DataItemCreateTime$ UTC Date/Time of Dataitem created
$Data/Context/DataItem/DataItemCreateTimeLocal$ LocalTime Date/Time of Dataitem created
$Data/Context/DataItem/LastModified$ UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$ Local Date/Time DataItem was modified
$Data/Context/DataItem/ManagedEntity$ ManagedEntity GUID
$Data/Context/DataItem/ManagedEntityDisplayName$ ManagedEntity Display name
$Data/Context/DataItem/ManagedEntityFullName$ ManagedEntity Full name
$Data/Context/DataItem/ManagedEntityPath$ Managed Entity Path
$Data/Context/DataItem/Priority$ The Alert Priority Number (High=1,Medium=2,Low=3)
$Data/Context/DataItem/Owner$ The Alert Owner
$Data/Context/DataItem/RepeatCount$ The Alert Repeat Count
$Data/Context/DataItem/ResolutionState$ Resolution state ID (0=New, 255= Closed)
$Data/Context/DataItem/ResolutionStateLastModified$ UTC Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateLastModifiedLocal$ Local Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateName$ The Resolution State Name (New, Closed)
$Data/Context/DataItem/ResolvedBy$ Person resolving the alert
$Data/Context/DataItem/Severity$ The Alert Severity ID
$Data/Context/DataItem/TicketId$ The TicketID
$Data/Context/DataItem/TimeAdded$ UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$ Local Time Added
$Data/Context/DataItem/TimeRaised$ UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$ Local Time Raised
$Data/Context/DataItem/TimeResolved$ UTC Date/Time the Alert was resolved
$Data/Context/DataItem/WorkflowId$ The Workflow ID (GUID)
$Data/Recipients/To/Address/Address$ The name of the recipient
$Data/Context/DataItem/AlertName$ The Alert Name
$Data/Context/DataItem/Category$ The Alert category
$Data/Context/DataItem/CreatedByMonitor$ True/False
$Data/Context/DataItem/Custom1$ CustomField1
$Data/Context/DataItem/Custom2$ CustomField2
$Data/Context/DataItem/Custom3$ CustomField3
$Data/Context/DataItem/Custom4$ CustomField4
$Data/Context/DataItem/Custom5$ CustomField5
$Data/Context/DataItem/Custom6$ CustomField6
$Data/Context/DataItem/Custom7$ CustomField7
$Data/Context/DataItem/Custom8$ CustomField8
$Data/Context/DataItem/Custom9$ CustomField9
$Data/Context/DataItem/Custom10$ CustomField10
$Data/Context/DataItem/DataItemCreateTime$ UTC Date/Time of Dataitem created
$Data/Context/DataItem/DataItemCreateTimeLocal$ LocalTime Date/Time of Dataitem created
$Data/Context/DataItem/LastModified$ UTC Date/Time DataItem was modified
$Data/Context/DataItem/LastModifiedLocal$ Local Date/Time DataItem was modified
$Data/Context/DataItem/ManagedEntity$ ManagedEntity GUID
$Data/Context/DataItem/ManagedEntityDisplayName$ ManagedEntity Display name
$Data/Context/DataItem/ManagedEntityFullName$ ManagedEntity Full name
$Data/Context/DataItem/ManagedEntityPath$ Managed Entity Path
$Data/Context/DataItem/Priority$ The Alert Priority Number (High=1,Medium=2,Low=3)
$Data/Context/DataItem/Owner$ The Alert Owner
$Data/Context/DataItem/RepeatCount$ The Alert Repeat Count
$Data/Context/DataItem/ResolutionState$ Resolution state ID (0=New, 255= Closed)
$Data/Context/DataItem/ResolutionStateLastModified$ UTC Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateLastModifiedLocal$ Local Date/Time ResolutionState was last modified
$Data/Context/DataItem/ResolutionStateName$ The Resolution State Name (New, Closed)
$Data/Context/DataItem/ResolvedBy$ Person resolving the alert
$Data/Context/DataItem/Severity$ The Alert Severity ID
$Data/Context/DataItem/TicketId$ The TicketID
$Data/Context/DataItem/TimeAdded$ UTC Time Added
$Data/Context/DataItem/TimeAddedLocal$ Local Time Added
$Data/Context/DataItem/TimeRaised$ UTC Time Raised
$Data/Context/DataItem/TimeRaisedLocal$ Local Time Raised
$Data/Context/DataItem/TimeResolved$ UTC Date/Time the Alert was resolved
$Data/Context/DataItem/WorkflowId$ The Workflow ID (GUID)
$Data/Recipients/To/Address/Address$ The name of the recipient
The Web Console URL:
$Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/WebConsoleUrl$
$Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/WebConsoleUrl$
The principalname of the management server:
Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/PrincipalName$
Target/Property[Type="Notification!Microsoft.SystemCenter.AlertNotificationSubscriptionServer"/PrincipalName$
Ref. Kevin Holman