Data Item XML - ConsolidatorData

This data type is created by consolidator condition module, which is one of the modules that creates new data item for its output. Luckily consolidator also appends its input into this newly created DT and it can be find inside of context. $Data/…$ context parameter replacement can be used and XPath queries can be created easier once we discuss this XML representation.

<DataItem time="2007-03-11T15:15:17.5561588-07:00" type="System.ConsolidatorData">

  <TimeWindowStart>2000-01-15T12:00:00.0000000-08:00</TimeWindowStart>

  <TimeWindowEnd>2000-01-15T12:05:00.0000000-08:00</TimeWindowEnd>

  <TimeFirst>2000-01-15T12:03:00.0000000-08:00</TimeFirst>

  <TimeLast>2000-01-15T12:00:04.0000000-08:00</TimeLast>

  <Count>2</Count>

  <Context>

This part will always carry a data item entering consolidator module as an input. As it is another data type, fragment will represent its XML representation and will start with <DataItem>. Following is representation of event data type.

      <DataItem type="Microsoft.Windows.EventData" time="2007-03-11T15:14:53.0000000-07:00">

        <EventOriginId>{F0DC0745-EC0C-4255-846C-C8C82549A559}</EventOriginId>

        <PublisherId>{431AD5B9-DD73-ADE6-7A14-B407799A13DC}</PublisherId>

        <PublisherName>Sample Publisher</PublisherName>

        <Channel>Application</Channel>

        <LoggingComputer>Computer</LoggingComputer>

        <EventNumber>2147503670</EventNumber>

        <EventCategory>0</EventCategory>

        <EventLevel>1</EventLevel>

        <UserName>N/A</UserName>

        <RawDescription><![CDATA[This is sample event for %1]]></RawDescription>

        <LCID>1033</LCID>

        <CollectDescription Type="Boolean">true</CollectDescription>

        <Params>

          <Param>SampleComputer</Param>

        </Params>

        <EventData/>

        <EventDisplayNumber>20022</EventDisplayNumber>

        <EventDescription><![CDATA[This is sample event for SampleComputer]]></EventDescription>

      </DataItem>

    </Context>

</DataItem>

XPath to properties:

To get to the properties of the input, one must always type following:

$Data/Context/DataItem/< relative path to the property>$

There are monitors that use consolidator data as the trigger for the state change (for example Microsoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType is example of such monitor). If it is desired for such monitor to also generate an alert, and if state change trigger properties are needed, following is the query that should be used:

Prior SP1 RTM use:

$Data/Context/Context/DataItem/< relative path to the property>$

For SP1 RTM use (although above will work as well):

$Data/Context/ DataItem /Context/DataItem/< relative path to the property>$