Update: This script works for SCOM 2012 and up, so also 2016 and 2019. Have uploaded it to Github as linked below.
It was about 10 months ago since I published a simple script for SCOM 2007 R2 to close old alerts coming from rules. The reasoning is that: 1) alerts from rules do not close themselves, 2) they do have a last modified date of x days ago, so might not be current anymore. In some cases we just encounter environments where a lot of alerts have been created for whatever reason and/or have not been cleaned for some time. A script can make your life easier to quickly filter these out and close them before turning your attention to the more current alerts.
Of course we want to be able to do the same for SCOM 2012. Some months ago I looked into it for half an hour and could not understand why I could not simply adjust the command to the 2012 version of the cmdlets and have it working. |-|
Today I looked into it again for some reason and found the problem was in the Resolve-SCOMAlert command.
When looking at the functioning of the command over here http://technet.microsoft.com/en-us/library/hh920262.aspx we see the following quite clear statement:
Resolves an alert. This does the same action as Set-SCOMAlert -ResolutionState 255.
And of course the good thing about the Resolve-SCOMAlert command is that we can enter a comment in the alert history saying we closed it automatically because it was too old.
However I found again that this command does not close the alert. It simply does not change the resolution state to 255 (which is “Closed”). :no:
So I have worked around it by first having this command insert the comment and next feeding the alert back into the Set-SCOMAlert command in order to close it. 💡
On the GitHub you can now find a script to close old alerts from rules in SCOM 2012.
In SCOM 2016/2019 the Resolve-scomalert should actually now close the alert so if you like you can comment out the very last bit of set-scomalert and it should do the same.
In the script you will find a variable with the amount of hours we define as old (Alert Last Modified), which you can change from the default 96 hours to whatever your environment desires.
Also the script assumes you run it on a management server, so it connects to localhost by default. However there are commented lines defined already where you can enter the name of a management server and connect to it remotely from something other than a SCOM management server.
The script can be downloaded from here:
SCOM 2012 script to close old alerts coming from Rules
Enjoy your cleaning up!