This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 45%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Hi Team,
I'm having SCOM rule writing the events into DB, I need to filter the <data> value from the event data xml column.
If the error count value is greater than 5 need to create alert.
SQL query used to find the event data
select EventData FROM [OPSMGRDW].[Event].[vEventDetail] evdes
inner join Event.vEvent evid on evdes.EventOriginId = evid.EventOriginId
inner join dbo.vEventLoggingComputer evcomp on evid.LoggingComputerRowID = evcomp.EventLoggingComputerRowID
Event Data Structure
<EventData>
<DataItem type="System.XmlData" time="2020-08-17T13:16:02.5711926+01:00" sourceHealthServiceId="ADBCE-1111-bdfjhbdwjh-jhvbjhdf">
<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<Data>INFO: error found Received Output: count 1
</Data>
<Data>0</Data>
<Data>StdOut: INFO: error found </Data>
<Data>1</Data>
</EventData>
</DataItem>
</EventData>
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 17%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUU%3C/text%3E%3C/svg%3E)
I have checked all answers. These Answers are good and nice to apply. Acrylic paint tubes
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
If I understand correctly, the data is stored in a field of the tables (in xml format) and we want to parse the xml to get the error count. If the error count is greater than 5, some actions, for example, generating an alert, may be taken.
Please understand that operations manager is a real-time monitoring system. It measures the system periodically. If some value is beyond the threshold, it generates an alert and may probably send out a notification if we've configured that. For our problem, it's historical data. At such situation, we may consider using the sql query provided by YitzhakKhabinsky-0887 to export the result directly.
Hope the above information helps.
Alex Zhu
If the response is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 26%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYK%3C/text%3E%3C/svg%3E)
Here is how to count <Data>1</Data> in the XML.
-- DDL and sample data population, start
DECLARE @tbl TABLE (ID INT IDENTITY PRIMARY KEY, [EventData] XML);
INSERT INTO @tbl ([EventData]) VALUES
(N'<EventData>
<DataItem type="System.XmlData" time="2020-08-17T13:16:02.5711926+01:00"
sourceHealthServiceId="ADBCE-1111-bdfjhbdwjh-jhvbjhdf">
<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<Data>INFO: error found Received Output: count 1</Data>
<Data>0</Data>
<Data>StdOut: INFO: error found</Data>
<Data>1</Data>
</EventData>
</DataItem>
</EventData>');
-- DDL and sample data population, end
;WITH XMLNAMESPACES ('http://schemas.microsoft.com/win/2004/08/events/event' AS ns1)
SELECT ID
, [EventData].value('count(/EventData/DataItem/ns1:EventData/ns1:Data[./text()="1"])','INT') AS [Counter]
FROM @tbl;
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
That's likely not the right way of achieving whatever you're trying to do.
Could you be more specific about your actual goal?
Hi Cyril,
Find error count ( <Data>1</Data> ) and raise the alerts if count is more than 5.
OK, but why would you store that as an event in the DB, then run a SQL query?
The proper way of doing that would be to create an alert rule based on the datasource that collects that event...