Huntland Services Ltd

Tel: +44 (0)1392-490518
Fax: +44 (0)1392-428003
Enquiries@huntland.co.uk

Setting and Using MOM State Variables

 

Back

Download This Article

  

State Variables in MOM are not unlike environment variables to the Windows Operating Systems. They are maintained in an isolated environment by the MOM Agent on each machine and persist only as long as the Agent is running. They are intended to reflect the 'State' of that machine. You cannot read or write to these variables outside the MOM environment. They are useful for being accessed by scripts run within MOM. Modifying the State Variables can be performed by configuring MOM's event and alert responses in which case it uses highly optimized code rather than in a script, and has minimal performance impact. Additionally a MOM administrator can create scripts to read and modify these variables and execute these separately as part of the response mechanism. 

State Variables maintained by the Agent running on the Consolidator are a special case. They can be accessed and modified by the Agents of managed systems. It offers a central place to manipulate site wide State data. This is the mechanism used to correlate State across multiple systems. Scripts running on the Consolidator machine can likewise access the state on any managed system and the MOM database.

MOM's agent uses a class of object known as a VARSET.  A Varset can contain a set of variables. Users can define their own Varset object, populate it with their own variables, and have the whole object committed to or retrieved from a persistent store. On the other hand there is a special Varset object maintained by MOM called the STATE object. This is automatically persistent and can be filled with user variables which can contain any text, number or value from a property from the event or alert that fired.

For example to have your alert or event update a state variable when it fires, configure the Response tab for that rule. Click on the Add button and select Update State Variable. Notice how you can chose whether you want your event\alert to update available either locally on the system where it fired, or on the central MOM Consolidator server. Updating your variable centrally allows events\alerts firing on other systems to read it or modify it themselves.
If you now click Add in the State Variable Update dialog you will be able to select one of the valid operations to be performed on your variable, namely:

 Increment Variable Value

 Use this to maintain a count or accumulate information from similar types of event.  So maybe event1 and event2 increment your value while event3 decrements it.

Decrement Variable Value

 

Set Variable value to property

Pick one of the valid Alert or Event properties (see below) and make your variable store this data.  The event\alert properties will be passed to the consolidator.  Your variable can remain stored for use by other event\alerts.

Set Variable Value to Text

 Simply enter the text you want your variable to have.  The fact that you can select event\alert properties here is meaningless.  For instance you could not set the property $Repeat Count$ to "The  rain in Spain" - it would just be ignored.

Set Variable to number

Type in what n umber you want your variable to have.  Again the available list of event\Alert properties is meaningless

Store the Last N occurrences

You supply the variable name and the number of occurrences you want to keep, and the event\alert property you want to keep.  This is like keeping a history.  You can then read this using scripts to see what the state was three events previously for example.

 To access state variables in scripts you use the STATE object.  If you selected one of the options above to update your state variable called 'myVar', you could then access it using a script thus:

dim theAnswer
theAnswer = State.Get("myVar")
'now do whatever you want to do with the value in theAnswer

Notice this is a complete script!  You don't have to create the state object, MOM does that and keeps it alive while the agent is running.

Last occurrences are kept in an array using the variable name you supplied as the root.  So if you said you wanted to keep the last 5 occurrences of the event property 'Provider Name'  in MyVar then they will be stored in MyVar.1, myVar.2, myVar.3, myVar.4 and myVar.5.  The total number is kept in myVar.size, the index of the last one added in myVar.last and the index of the first one in myVar.First

To access occurrences through scripts you use:

dim theTotal, thisOne, theLastOneIndex, theLastOne
theTotal = State.Get("myVar.size")                               'the answer will be 5
thisOne = State.Get("myVar.3")                                    ''A particular Data provider
theLastOneIndex = State.Get("myVar.last")                 'returns the index number
theLastOne = State.Get("myVar.theLastOneIndex")    'The data provider used by the last event

 The list of valid properties for events and alerts are:

Alert Properties

Event Properties

Alert Name

Event Number

Alert Description

Full Event Number

Alert Source

Event Type

Owner

Message DLL

Severity

Message DLL File Version

Severity Number

Source Name

Resolution State

Provider Name

Time

Description

Computer

Computer

Domain

Category

Alert Rule Group ID

Event Time

Alert URL

Agent

CustomField 1 to 5

User Name

Custom Field Name 1 to 5

Logging Domain

 

Source Domain

 

Repeat Count

 

First Time

 

Last Time

 

Start Time

 

Event URL

 

Parameter 1 to 25

Alerts can be configured to include custom fields created by the author of the rule.  This information can therefore be used in state variables, accessed by scripts and displayed in the MMC Console.  If a custom filed is defined in one alert it will be the same for all alerts in the same processing rule group.

  Event properties include 25 parameters.  These correspond to the first 25 variables returned by the data provider.  For instance the IIS w3svc log file provider reports each line in the log file.  Supposing you were only interested in firing an event when from the information in the log file the IP address of the client was 192.168.30.100.  By knowing that the client address is the 4th parameter in the log file line you could easily build your event\alert criteria as parameter4 = “192.168.30.100”.  Each data provider fills these parameters differently so you must look them up in the online help for MOM or write a script that prints them out to a text file for you to examine. (watch this space)