For a script I was creating in order to classify new alerts in SCOM, I found myself wanting to find alerts that had been in a “New” state for over 30 minutes and give it a specific Resolution State.
So just started out creating a search string in PowerShell until I got the logic of the command, but still missing some specifics, which I went out to find as I expected some time issues (how to tell it that an alert is older than 30 minutes). I don’t know enough PowerShell to do the fancy stuff yet, although I will be working on it B)
After some searching I found an entry by Scott Garret at BlackOps, which I could use to adjust what I was looking for. Happy he found the route through all the brackets :>
Most importantly I changed the part where it doesn’t look for LastModified, but for the last time the resolution state of the alert was changed. And in my case it needed to be more than a certain number of minutes. Also had to play with the single and double quotes as copy/paste always gives some headache with those things.
So in the end this is a short one that loops through all New alerts in SCOM and finds alerts who have been in the New state for over 30 minutes and sets the resolution state to something else (just took a random number which I could use later in the followup).
$resState = 59
$alerts = get-alert -criteria "ResolutionState='0' AND TimeResolutionStateLastModified <= '$((((Get-Date).ToUniversalTime())).addminutes(-30))'"
if ($alerts) {
foreach($alert in $alerts)
{
$alert.ResolutionState = $resState
$alert.Update("")
}
}
So the important part is this part of the command. This will output the alerts when you run it in the OpsMgr Shell.
get-alert -criteria "ResolutionState='0' AND TimeResolutionStateLastModified <= '$((((Get-Date).ToUniversalTime())).addminutes(-30))'"
This gets the alerts, with two criteria. First is that it needs to be a New alert (resolutionstate=”0″) and the last change in the resolution state must be more than 30 minutes ago (this is the created time by the way or if somebody really wanted to manually place an alert back into New state).
Want to see the alerts and just have it output the last time the resolution state changed?
get-alert -criteria "ResolutionState='0' AND TimeResolutionStateLastModified <= '$((((Get-Date).ToUniversalTime())).addminutes(-30))'" | fl TimeResolutionStateLastModified
Keep in mind you are seeing UTC time here and not your local time.
By the way there is a way to just this in a one-liner, but there was another need in the script to catch other things for the classification, so I just used this method. If you wanted to close those alerts based on this get-alert search string you can just pipe it into | resolve-alert and you are done with it.
Perhaps somebody else find a use for this as well sometime :p If so, good luck!
Bob Cornelissen