| « Blogging 3 years | Operations Manager Internal Connector » |
SCOM Close alerts from rules
SCOM, SCOM TricksWas looking at a SCOM console with a lot of alerts today at a customer site. I did not feel like going through it all, so I wanted to clean out all alerts created by a rule, which had not been modified for at least 24 hours. This is because alerts coming from rules will not auto-close like the ones from monitors generally do.
So had to create a one-liner for it 
This is for SCOM 2007.
get-alert -criteria 'ResolutionState=''0'' AND IsMonitorAlert=''False''' |where {$_.LastModified -le (Get-Date).addhours(-24)} | resolve-alert -comment "Close old alerts generated by rules" | out-null
This will look for alerts with a New resolution state and coming from a rule, where the last modification to this alert was more than 24 hours ago, and close that alert with a small comment.
I have posted an extended script on Technet Gallery at http://gallery.technet.microsoft.com/SCOM-2007-R2-script-to-dae4ffda.
Sure cleaned out hundreds of old alerts 
Allways comes in handy.
Bob Cornelissen
Comment feed for this post
I tried using your script on our only SCOM 2007 R2 environment. It's fairly small, only about 86 agents at this time.
At the moment there are about 40 New/Open rule-based alerts that are at least 2 weeks old.
I thought your poweshell script would be ideal for this.
When I run the script directly on the RMS, the output on the screen shows:
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> C:\Windows\system32\windowspowershell\v1.0\CloseOldAlertsFromRules.ps1
PathName :
ManagementGroup : PPDI
ManagementServerName : wilscrms001.americas.ppdi.local
Drives :
PS Microsoft.EnterpriseManagement.OperationsManager.Client\OperationsManagerMonitoring::wilscrms001.americas.ppdi.local>
The old alerts never close and nothing else comes up.
Am I missing something?
Thanks,
Sven
Just to be sure first try to see if your console is not trying tricks on you. Check out this old post: http://www.bictt.com/blogs/bictt.php/2011/05/26/scom-trick-10-scom-console
Perhaps its just a cache thing why you are seeing these.
Next thing I can think of... my script closes alerts coming from RULES, and not monitors. If you open the script you will quickly see where that is. Normally you would not close alerts from monitors as they should close themselves, however there are exceptions such as manual reset monitors. In those cases you can just adjust IsMonitorAlert=''False'' to true. You can see quickly enough if the alerts come from rules or monitors from the SCOM console.
Let me know if these two things help you.
Yup, I've already got the /clearcache option in the Console startup shortcut.
Also, the Open/New Alerts I'm looking to remove are definitely Rule Alerts. There is a mix of Critical and Warning alerts, and the Alert Details clearly state "Alert Rule:". The majority of the Alerts are Active Directory alerts produced by the Active Directory MP.
One other thing, I ran this script directly on the RMS in question, just in case running it from my desktop was an issue.
Regards,
Sven
One other question, is this script complaint for both SCOM 2007 SP1 and SCOM 2007 R2, or just one?
Sven
You could try to run the command from an opsmgr shell session. And leave out the last bit of the command (where it close3s the alert) and output that to the screen. Make the time not 24 hours but 1 hour, so you can try to see if any of the more recent new alerts from rules show up in your screen and hopefully the old ones as well. CHeck to see if a more recent alert will close with the script. That it is only the very old ones which keep nagging.
The 2012 version can be found here http://www.bictt.com/blogs/bictt.php/2012/12/22/scom-2012-close-old-alerts