Is your MOM to sensitive and sending you alerts in early stage? As you presumably know you can change thresholds and modify all rules to suite your environment better. I will show one way to do that in this post. In this example I will collect event ID 2 from the Application log and when there has been two alerts with event ID 2 within one minute I will generate an alert.

Start by create one rule to consolidate similar events with the following settings

  • Data Provider – Provider Name: Application
  • Data Provider – Provider type: Windows NT Event Log
  • Criteria – with event id 2
  • Schedule – Always process data
  • Consolidate – Choose Event number, Source Name, and input set that events must occur within 60 seconds
  • Knowledge Base: Input a suitable text
  • General: Input a suitable name and verify that the rule is enabled
  • Data Provider – Provider Name: Application
  • Data Provider – Provider type: Windows NT Event Log
  • Criteria – event ID 2 and repeat count is at least 2 (Advanced criteria)
  • Schedule – Always process data
  • Alert – Check the box to generate alert
  • Alert Suppression – leave default settings
  • Responses – add suitable if needed
  • Knowledge Base: Input a suitable text
  • General: Input a suitable name and verify that the rule is enabled

That’s it. After two events with event ID 2 and the same source name you will get an alert.