SCOM 2007 Regular Expressions

One of the hardest thing to deal with in SCOM over the years (for me) has been understanding how SCOM interprets RegEx. It has been frustrating, to say the least. And for whatever reason, everything else to do with SCOM has been very well documented, expanded by the community and freely available. Not RegEx info. So today, working on a non-related issue, I came across this post that had some really good, concise info on how SCOM handles RegEx. In case the post gets deleted or lost or whatever, here is the excerpt (thanks to Dan Rogers):

Regular expression support in SCOM 2007

Many teams that are authoring management packs may need to include regular expression matching in their discoveries and groups, as well as for pattern matching in expression criteria in monitors and rules.

There are two different types of regular expression support in the SCOM product, and you have to know which element you are working in to choose the correct one.  Specifically, Group membership calculation and expression filters use distinctly different syntaxes for pattern matching.

Group Calculation matching criteria

Group calculation uses PERL regular expression syntax.  By default, the matching is case insensitive, but in the XML you can specify that an expression needs to be case sensitive by way of a special attribute dedicated to specifying that the expression content should be evaluated in a case sensitive way.

Group Calculation is found in your MP whenever you are using the Group Calc module.

The GroupCalc expression has an operator called MatchesRegularExpression that is used to create dynamic group membership based on pattern matching expressions.  The implementation of this operator passes the expression found in the MP XML to the SQL call name dbo.fn_MatchesRegularExpression.  If this call returns 0, the match is false.  If the expression returns 1, the match is true.

GroupCalc also supports two special sub-elements that abstract away a couple of common regex style queries.

GroupCalc sub element	Regex Equivalent
ContainsSubstring	^*{O}.*$                ({O} is replaced by the substring)
MatchesWildcard	MP expression	Regex Equivalent
	?	.
	*	.*
	#	[0-9]

Table 1:  GroupCalc special functions

Note:  If either of these two special operators are used, the evaluation will always be case sensitive.

Expression Filter matching criteria

Expression filters used in management packs use .NET Regex expression syntax.  A summary of the .NET regular expression syntax elements appears below.  Expression filters are present in your management pack whenever you are using the Expression Eval module.

Construct	SCOM Regex
Any Character	.
Character in Range	[ ]
Character not in range	[^ ]
Beginning of Line	^
End of Line	$
Or	|
Group	( )
0 or 1 matches	?
0 or more matches	*
1 or more matches	+
Exactly N matches	{n}
Atleast N matches	{n, }
Atmost N matches	{ , n}
N to M Matches	{n, m}
New line character	\n
Tab character	\t

Regular expressions via SDK

The SCOM SDK has a Matches criteria operator for filtering objects. This operator use the same functionality as MatchesCriteria in the GroupCalc case explained above.

When using the SDK to construct a criteria expression to find objects in the Ops Manager database, the following syntax elements are valid (see below).  This syntax is useful when creating a criteria expression that includes any of the following elements:

• Comparison operators
• Wildcard characters
• DateTime values
• Integer to XML Enumeration comparisons

Comparison operators

You can use comparison operators when constructing a criteria expression. The valid operators are described in the following table:

Operator	Description	Example(s)
=, ==	Evaluates to true if the left and right operand are equal.	Name = ‘mymachine.mydomain.com’
!=, <>	Evaluates to true if the left and right operand are unequal.	Name != ‘mymachine.mydomain.com’
>	Evaluates to true if the left operand is greater than the right operand.	Severity > 0
<	Evaluates to true if the left operand is less than the right operand.	Severity < 2
>=	Evaluates to true if the left operand is greater than or equal to the right operand.	Severity >= 1
<=	Evaluates to true if the left operand is less than or equal to the right operand.	Severity <= 3
LIKE	Evaluates to true if the left operand matches the pattern that is defined by the right operand. Use the characters in the wildcard table later in this topic to define the pattern.	Name ‘LIKE SQL%’Evaluates to true if the Name value is “SQLEngine.”Name LIKE ‘%SQL%’ Evaluates to true if the Name value is “MySQLEngine.”
MATCHES	Evaluates to true if the left operand matches the regular expression defined by the right operand.	Name MATCHES ‘SQL*05’Evaluates to true if the Name value is “SQL2005.”
IS NULL	Evaluates to true if the value of the left operand is null.	ConnectorId IS NULLEvaluates to true if the ConnectorId property does not contain a value.
IS NOT NULL	Evaluates to true if the value of the left operand is not null.	ConnectorId IS NOT NULLEvaluates to true if the ConnectorId property contains a value.
IN	Evaluates to trueif the value of the left operand is in the list of values defined by the right operand. Note The IN operator is valid for use only with properties of type Guid.	Id IN (‘080F192C-52D2-423D-8953-B3EC8C3CD001’, ‘080F192C-53B2-403D-8753-B3EC8C3CD002’)Evaluates to true if the value of the Id property is one of the two globally unique identifiers provided in the expression.
AND	Evaluates to true if the left and right operands are both true.	Name = ‘SQL%’ AND Description LIKE ‘MyData%’
OR	Evaluates to true if either the left or right operand is true.	Name = ‘SQL%’ OR Description LIKE ‘MyData%’
NOT	Evaluates to true if the right operand is not true.	NOT (Name = ‘IIS’ OR Name = ‘SQL’)

Table 3: SDK comparison operators

Wildcards

The following table defines the wildcard characters you can use to construct a pattern when using the LIKE operator:

Wildcard	Description	Example
%	A wildcard that matches any number of characters.	Name LIKE 'SQL%'Evaluates to true if the Name value is “SQLEngine.”Name LIKE '%SQL%' Evaluates to true if the Name value is “MySQLEngine.”
_	A wildcard that matches a single character.	Name LIKE 'SQL200_'Evaluates to true for the following Namevalues:”SQL2000″ “SQL2005” Note The expression evaluates to false for “SQL200” because the symbol _ must match exactly one character in the Name value.
[]	A wildcard that matches any one character that is enclosed in the character set. Note Brackets are also used when qualifying references to MonitoringObject properties. For more information, see Defining Queries for Monitoring Objects.	Name LIKE 'SQL200[05]‘Evaluates to true for the following Namevalues:”SQL2000″ “SQL2005” The expression evaluates to false for “SQL2003.”
[^]	A wildcard that matches any one character that is not enclosed in the character set.	Name LIKE 'SQL200[^05]'Evaluates to truefor”SQL2003.” The expression evaluates to false for “SQL2000” and “SQL2005.”

Table 4:  Wildcard operators used with LIKE operator

DateTime comparisons

When you use a DateTime value in a query expression, use the general DateTime format (“G”) to convert the DateTime value to a string value. For example,

C#

string qStr = “TimeCreated <= ‘” + myInstant.ToString(“G”) + “‘”;

ManagementPackCriteria mpCriteria = new ManagementPackCriteria(qStr);

All date values need to be converted to the G format (GMT) so that valid string comparisons can be made.

Integer value comparison to enumerations

When you use an integer enumeration value in a query expression, cast the enumeration value to an integer. For example,

C#

string qStr = “Severity > ” + (int)ManagementPackAlertSeverity.Warning;

MonitoringAlertCriteria alertCriteria = new MonitoringAlertCriteria(qStr);

Advertisement

Automatic start/restart recovery action for Windows Service in SCOM 2007

I am not sure if I am missing something, or simply nobody has thought of an easier way of doing this but I have run into this issue twice already. I am setting up SCOM 2007 (once with RTM +SP1 and once with R2) and I setup standard Windows service monitoring, so that I am notified when a Windows service stops or dies. The issue is that there seems to be no EASY way to create an automatic recovery action for the monitor to restart the service if it goes down.

If you try to modify to default monitor “Service Running State” from the Windows Service Library management pack and add a recovery action to it to start the service if the monitor goes into a Critical state, you would get this pleasant error:

Date: 1/28/2010 10:08:19 AM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Error
Message:

: Verification failed with [1] errors:
——————————————————-
Error 1:
: Failed to verify Recovery [MomUIGenaratedRecoverybdae2c715da44a0797df0f2dbd5b41dc]
The requested ManagementPackElement [Type=ManagementPackMonitor, ID=Microsoft.SystemCenter.NTService.ServiceStateMonitor] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.NTService.Library, KeyToken=31bf3856ad364e35, Version=6.1.7221.0]] is not Accessible outside this ManagementPack.
——————————————————-

Failed to verify Recovery [MomUIGenaratedRecoverybdae2c715da44a0797df0f2dbd5b41dc]The requested ManagementPackElement [Type=ManagementPackMonitor, ID=Microsoft.SystemCenter.NTService.ServiceStateMonitor] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.NTService.Library, KeyToken=31bf3856ad364e35, Version=6.1.7221.0]] is not Accessible outside this ManagementPack.
: Failed to verify Recovery [MomUIGenaratedRecoverybdae2c715da44a0797df0f2dbd5b41dc]
The requested ManagementPackElement [Type=ManagementPackMonitor, ID=Microsoft.SystemCenter.NTService.ServiceStateMonitor] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.NTService.Library, KeyToken=31bf3856ad364e35, Version=6.1.7221.0]] is not Accessible outside this ManagementPack.
: The requested ManagementPackElement [Type=ManagementPackMonitor, ID=Microsoft.SystemCenter.NTService.ServiceStateMonitor] in ManagementPack [ManagementPack:[Name=Microsoft.SystemCenter.NTService.Library, KeyToken=31bf3856ad364e35, Version=6.1.7221.0]] is not Accessible outside this ManagementPack.

So… After some digging I found out this is one (or THE) way of getting this accomplished:

1. Create a new Basic Service Monitor under Authoring\Management Pack Objects\Monitors – Windows Service\Entity Health\Availability called Service Run State (the name of the monitor is arbitrary, but it is close enough to the original name, Service Running State, that it makes sense…). Make sure you don’t add it to the Default Management Pack.

2. For Service Name enter this string:

$Target/Property[Type=”MicrosoftSystemCenterNTServiceLibrary!Microsoft.SystemCenter.NTService”]/ServiceName$

Update: This string may vary for you. The best way to find it (and you should probably do that, instead of simply copying mine) is to try and create a recovery action in the original Service Running State monitor. When you get to the point of entering a command, click the arrow next to the Parameters box. The fly-out will have a list of parameters. Pick the one on top called Service Name. The UI will place the string in the parameters box. Once you have it there, copy it and save it. Cancel the Create Recovery Task Wizard. In my latest install the string looks like this:

$Target/Property[Type=”MicrosoftSystemCenterNTServiceLibrary6172210!Microsoft.SystemCenter.NTService”]/ServiceName$

3. Accept all other defaults. Once it is created, go into the properties of it, under Diagnostics and Recovery

4. Create a Recovery Action – Run A Command. The command line should be:

Full path to file: net.exe

Parameters: start “$Target/Property[Type=”MicrosoftSystemCenterNTServiceLibrary!Microsoft.SystemCenter.NTService”]/DisplayName$”

5. Save it.

You are done.

— If you this post helped you, please, rate it/”Like” it.