How to use criteria when scoping alerts

This article explains how to filter alerts using advanced criteria when using the alerts tile.

Filters

When configuring the Alerts tile the Filters section give you some basic options for filtering the Alerts returned:

Alerts Filters

Scope Criteria

The Criteria option under Scope -> Advanced allows you to more precisely filter alerts by creating a specific expression to refine the list of alerts.

For example, Owner = 'sales\cash' will return only alerts where the Cash user has been assigned as an owner of the alert:

Advanced Criteria

Name LIKE '%failed%' would only display alerts where the alert name includes “failed”:

Advanced Criteria

Criteria will work with any configured Filters, but when using an expression in Criteria you may prefer to set the Filters options to Any so filtering is only occurring from one source.

Useful operators

The table below shows some of the common operators and wildcards you can use when defining a criteria expression.

Operator Effect
= equals
!= does not equal
< less than
> greater than
LIKE simple pattern matching
% matches any number of characters when used with LIKE
_ matches any single character when used with LIKE
MATCHES full .net regular expression matching
AND test if two conditions are both true
OR test if either of two conditions are true

See the following Microsoft pages for more information on the syntax and a full list of and operators:

Criteria Expression Syntax

Alert Properties

Property names are case sensitive, i.e. it must be Name, not name; ResolutionState not Resolutionstate. Useful properties for use in Criteria expressions include:

Property Name Values
Name The name of the alert
Description Depending on how this is written to the data warehouse by your management pack, the description can be stored under either AlertParams or Description. When filtering on alerts you will want to use both to ensure that this captures either case, for example:
AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%'
ResolutionState Default Resolution States are:
0 = New
249 = Acknowledged
248 = Assigned to Engineering
247 = Awaiting Evidence
254 = Resolved
250 = Scheduled
255 = Closed
Severity Severity levels for alerts:
2 = Critical/Error
1 = Warning
0 = Information
Severity=2 is the same as selecting Severity of error in the Filters section.
Priority Priority levels for alerts:
2 = High
1 = Medium
0 = Low
MonitoringObjectHealthState HealthStates are:
1 = Healthy
2 = Warning
3 = Critical
0 = Unmonitored
MonitoringObjectInMaintenanceMode 1 if in maintenance mode, otherwise 0
Owner will be NULL if unassigned

See the Remarks section in the following Microsoft article for valid property names in alert criteria:

MonitoringAlertCriteria Class

Example Criteria

The following table provides you with some example filters that are commonly used by dashboard authors.

Many of the examples can be achieved purely by using the Filters section, but they are included here to demonstrate the syntax and use of properties.
Alerts you would like to see Criteria
Only new alerts ResolutionState = 0
Alerts that are not closed ResolutionState != 255
Alerts that are not resolved ResolutionState != 254
List critical or high priority alerts Severity=2 OR Priority=2
Alerts that are not Information, i.e. Warning or Critical alerts Severity !=0
Alerts for objects in a warning health state MonitoringObjectHealthState = 2
Alerts for servers that are in maintenance mode MonitoringObjectInMaintenanceMode = 1
All those not in maintenance mode MonitoringObjectInMaintenanceMode = 0
Alerts with a specific owner Owner = 'domain\username'
Alerts with no owner Owner IS NULL
Alerts with a particular name Name = 'Failed to Connect to Computer'
Alerts with a similar name Name LIKE '%failed%'
Alerts with a particular description (using either AlertParams or Description) AlertParams LIKE '%server connection%' OR Description LIKE '%server connection%'
Closed alerts where owner is not test Owner !='domain\test' AND ResolutionState = 255
Alerts that do not start with ‘Web Application’ and do not mention IIS NOT (Name = 'Web Application' OR Name like '%IIS%')
All alerts for particular objects (MonitoringObjectPath LIKE '%Server4%' OR MonitoringObjectPath LIKE '%Server3%')
Alerts modified by users, not updated automatically LastModifiedBy != 'system'

How to use criteria when scoping objects

label: How to use criteria when scoping alerts keywords: Alert Criteria filter scope filtering filters alerts