Multiple entries for same alert in SCOM 2012 R2 Database

Question

question

sreejeetnambiar-6021 asked Oct 15, '20 CyrAz answered Oct 28, '20

Multiple entries for same alert in SCOM 2012 R2 Database

Hi,

I have been noticing this behaviour from sometime, that multiple entries are created for same alert in SCOM 2012 R2 Database.
One thing I noticed is, these multiple alert entries have one Column for Ticket ID and one of this entries is NULL and the other entry shows the Ticket ID for that alert.
Is this a normal behaviour of how SCOM stores the alert data in the Database.
I am using SQL Query to fetch this data from the Database. I guess this is the same result if I generate Reports using the Reporting tab.

Also, is it possible to get an alert report, showing only one entry for similar alert?

Thanks,
Sreejeet

msc-operations-manager

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-10-15T13:35:13.327Z

sreejeetnambiar-6021 answered Oct 15, '20

Also one more query I would like to add here is that, when I generate report by running the SQL query the time stamp will show exact 2 hours difference (attached the screenshot). What could be the reason for this. I see the Database server and the SCOM server have the same time zone set.

time-difference.png (145.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2020-10-26T19:01:28.04Z

PeterSvensson-4019 answered Oct 26, '20

I believe all time in the SCOM Datawarehouse is in UTC time, thats whay you see the time differnce.

As for multiple entries from your query. It all depends on which fields you select in your query.
For instance, if you have an alert with different resolution states and you have that in your query you are going to get multiple rows back.
You can try to use DISTINCT in your Select clause to only get unique entries.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2020-10-26T21:41:21.54Z

StoyanChalakov answered Oct 26, '20 sreejeetnambiar-6021 commented Oct 28, '20

Hi @sreejeetnambiar-6021,

@PeterSvensson-4019 has a point here, well actually two:

The SCOM DB shows the UTC time indeed
The query result very much depends on the query itself. In regards to this I have two recommendations:
1. Test the data, using a build in report.
2. Post the query here, so we can try it and give you some feedback.

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Regards,
Stoyan

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sreejeetnambiar-6021 · Oct 28, 2020 at 09:16 AM

Hi,

After running the SQL query, I also ran the built in report for the same and found multiple entries in the report as well.
one entry shows when the Alert was created, another when the custom fields of the alert is modified (note, we use a script to add data into these custom fileds, then this information is forwarded to System Center Orchestrator which then runs a runbook to create a ticket in SCSM), then an entry that shows the SCSM ticket ID is created, then an entry that show the Ticket is closed (if the ticket is closed by the resolver group). So a total of 4 entries (records).

Thanks,
Sreejeet

0 ·

Answer 4 · 2020-10-28T09:44:04.91Z

CyrAz answered Oct 28, '20

I guess that's because there is one entry per state change in the DB which is perfectly normal, but if you could show us your query I'll be able to confirm it.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question