This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 14.000000000000002%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Hi...
I need to create a batch of rules into SCOM, like 100 rules into SCOM.
The rules are event ID-based, so there's an event been written for alerting and clearing....
But I can't seem to find anything on this subject...
It seems like there's no way to create multiple alert rules into SCOM at once based on EVENTID...
Can please someone Help or shed some light...
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
That's probably the easiest way : https://kevinholman.com/2014/01/21/how-to-use-snippets-in-vsae-to-write-lots-of-workflows-quickly/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
If our purpose is to generate an alert for any of the 100+ Event ID, perhaps we may consider to create only a single monitor/rule based on the script. In the script, we can detect any of the occurrence of the Event IDs specified, return the variables we want to collect (via propertybag), as well as the Event ID if necessary.
In the script, we may perform any operations required. Here's a sample to calculate the file count, just for your reference.
Alex
If the response is helpful, please click "Accept Answer" and upvote it.
Scripted monitors are not so great for event monitoring, as they won't trap new events "in real time" contrary to the native event datasource
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 53%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
more importantly as a monitor one event will trigger it, then every other event that triggers hides behind it and is 100% unnoticed so its a terrible solution to cover say 100 events.
two possible reason why they might want an even easier solution.
For instance at a guess the carbonite management pack has 242 rules for events that don't work. sure I could create these all by hand or code blocks etc, but programmatically would be much easier. Maybe the original poster is trying something similar. this is where creating a rule via powershell would be good (and you can at worst do this by creating the xml in a management pack
If not replacing existing bad rules what you can do is if the alert is parametrized you can use dynamic rule naming based on these to have one rule give alerts with different meaningful names and alert details based on the event itself.
This runs into the X hundred limit before being suppressed but that can be raised or if it doesn't alert like a Christmas tree just work a treat. https://kevinholman.com/2015/02/20/can-alert-names-contain-dynamic-data/
decent suppression settings will have these alert and count for each separate event ID so the event cant hide behind a monitor based solution. One rule to auto close these after they stop triggering for X period can be setup as well, if desired.
so yes that's potentially 100 'unique' alerts with auto close for the cost of TWO rules needing to be created.