SCOM 2012 script to close old alerts coming from Rules

This small PowerShell script was created to close old alerts coming from rules in SCOM 2012. Alerts from rules do not auto-close so you will have to manually close them. This script looks for those alerts and specifically also checks for the last modified date (and not the alert

 
 
 
 
 
(5)
3,155 times
Add to favorites
System Center
12/22/2012
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • LastModified change
    1 Posts | Last post June 02, 2015
    • An issue I just discovered is that Get-SCOMAlert returns the object's LastModified property in UTC time.  That explains Chris' issue.  Here is the code I am using in my script that is different from Bob's original.
      
      # Adjust the amount of hours to your liking, by default it is set at 1 hour.
          $AgeHours = 1
          $AlertAgeOffset = (Get-Date).AddHours(-$AgeHours)
      
      # Find alerts with New state which were created by a rule.
      # This will close alerts older than the specified amount of hours if coming from a rule, after adding a comment.
      
      Get-SCOMAlert 'ResolutionState=''0'' AND IsMonitorAlert=''False''' | Where-Object {$_.LastModified -lt $AlertAgeOffset.ToUniversalTime()} | Resolve-SCOMAlert -Comment 'Close old alerts generated by rules'
  • Clsoing SCOM Alert
    1 Posts | Last post June 02, 2015
    • At least with OpsMgr 2012 R2, using the Resolve-SCOMAlert commandlet does close the alert.
  • Script isn't working for me
    3 Posts | Last post September 27, 2014
    • I have been trying to get your solution to work (with the addition of an AND statement specifying a particular MonitoringRuleId (or Name) and setting the AgeHours to 1, but when I run the script (either locally or remotely) it does not close the rules that are clearly over 1 hour old.
      
      If I do part of the script:
      
      get-scomalert -criteria 'ResolutionState=''0'' AND IsMonitorAlert=''False'' AND Name=''System has been logged into via SSH using "root" password detected'''
      
      It shows me that there are two alerts, but if I add in the where clause:
      
      get-scomalert -criteria 'ResolutionState=''0'' AND IsMonitorAlert=''False'' AND Name=''System has been logged into via SSH using "root" password detected''' |where {$_.LastModified -le (Get-Date).addhours(-$AgeHours)}
      
      I get no results.  I think this is why they are not closing.  Not quite sure how to troubleshoot this.
      
      
    • Figured it out.  the LastModified -le needed to be changed to -ge (greater than or equal to) for it to work.
      
      Otherwise, it was looking for alerts that were LESS THAN 1 hour old to close them.
    • Great, thats exactly the trick. Also be carefull with double quotes in the string you are lookibg for since they are surrounded by other double quotes as well.
  • Thanks
    2 Posts | Last post September 27, 2014