Alert Suppression

Another tip we found today is dealing with Alert suppression. Normally when you create rules/monitors you set Alert Suppression using the standard fields (i.e. Name, source, etc)

However in some cases we need to set more advanced criteria.  In this case we want to edit the configuration of the alert (1), Click on Alert Suppression (2), Click Advanced (3) and enter your Criteria (4).

In the example above we needed to suppress duplicate alerts from Syslog messages coming in to SCOM. The trick to what we had to do was suppress alerts and take in to account the time and date of the event (the way Syslog messages come in include the date and time so suppression can be tricky as the same message comes in at different times). Using the $Data/EventData/DataItem/Facility$, $Data/EventData/DataItem/Serverity$, and $Data/EventData/DataItem/HostName$ you can suppress the duplicate messages and avoid the sea of red in your console.

The thing to be careful of is to make sure you are getting all the messages you want before you start suppressing alerts. Sometimes you will get the same message with a different time stamp in the Timestamp and Message fields causing the suppression not to work or causing it to work too well. Play around with the different options after you have your list of requirements. 

Read the complete post at http://david-stclair.spaces.live.com/Blog/cns!112A71B19678F08D!235.entry