Share via

Microsoft.Windows.WmiProvider.FilteredEventProvider

  • Article

Applies To: Operations Manager 2007 R2

The Microsoft.Windows.WmiProvider.FilteredEventProvider module is a data source module type that queries a Windows Management Instrumentation (WMI) namespace at a scheduled frequency and returns the filtered results as System.Event.Data type data.

Usage

Use this module to query WMI for filtered object data and convert it into event data at a scheduled, recurring interval.

Type Definition

<DataSourceModuleType ID="Microsoft.Windows.WmiProvider.FilteredEventProvider" Accessibility="Public">
  <Configuration>
    <IncludeSchemaTypes>
      <SchemaType>System!System.ExpressionEvaluatorSchema</SchemaType>
    </IncludeSchemaTypes>
    <xsd:element name="NameSpace" type="xsd:string" />
    <xsd:element name="Query" type="xsd:string" />
    <xsd:element name="Frequency" type="xsd:integer" />
    <xsd:element name="Expression" type="ExpressionType" />
  </Configuration>
  <OverrideableParameters>
    <OverrideableParameter ID="Frequency" Selector="$Config/Frequency$" ParameterType="int" />
  </OverrideableParameters>
  <ModuleImplementation>
    <Composite>
      <MemberModules>
        <DataSource TypeID="Microsoft.Windows.WmiProvider" ID="DataSource">
          <NameSpace>$Config/NameSpace$</NameSpace>
          <Query>$Config/Query$</Query>
          <Frequency>$Config/Frequency$</Frequency>
        </DataSource>
        <ConditionDetection TypeID="System!System.ExpressionFilter" ID="Filter">
          <Expression>$Config/Expression$</Expression>
        </ConditionDetection>
        <ConditionDetection TypeID="System!System.Event.GenericDataMapper" ID="Mapper">
          <EventOriginId>$Target/Id$</EventOriginId>
          <PublisherId>$MPElement$</PublisherId>
          <PublisherName>WmiProvider</PublisherName>
          <Channel>WmiProvider</Channel>
          <LoggingComputer />
          <EventNumber>0</EventNumber>
          <EventCategory>3</EventCategory>
          <EventLevel>0</EventLevel>
          <UserName />
          <Params />
        </ConditionDetection>
      </MemberModules>
      <Composition>
        <Node ID="Mapper">
          <Node ID="Filter">
            <Node ID="DataSource" />
          </Node>
        </Node>
      </Composition>
    </Composite>
  </ModuleImplementation>
  <OutputType>System!System.Event.Data</OutputType>
</DataSourceModuleType>

Parameters

The Microsoft.Windows.WmiProvider.FilteredEventProvider module supports the configuration parameters described in the following table.

Parameter Type Overrideable Description

Namespace

String

False

Required parameter. Specifies the WMI namespace within which the module is to run the query.

Query

String

False

Required parameter. Specifies the SELECT WMI query to run.

Frequency

Unsigned Integer

True

Required parameter. Specifies the frequency in seconds at which to run the WMI query.

Expression

ExpressionType

False

Required parameter. Defines an expression that evaluates to true or false.

For more information about the Namespace and Query parameters, see the Microsoft.Windows.WmiProbe module.

If the expression defined in the Expression parameter evaluates to true, the incoming WMI data will be mapped to event data and stored in the Operations Manager database. If it evaluates to false, the workflow within the module will stop and no event data will be stored.

Composition

The Microsoft.Windows.WmiProvider.FilteredEventProvider module is a composite module that contains the member modules described in the following table.

Workflow Run Order Module Type Usage

1

Microsoft.Windows.WmiProvider

Returns the queried WMI object data as System.PropertyBagData and passes it on to the subsequent expression filter module for evaluation.

2

System.ExpressionFilter

Evaluates whether the specified expression on the incoming data evaluates to true and, if so, passes it on to the consequent mapping module.

3

System.Event.GenericDataMapper

Maps the incoming System.PropertyBagData data to System.Event.Data data.
Module Type Usage

Microsoft.Windows.WmiProvider.EventProvider

Queries a WMI namespace at a scheduled frequency and returns results as System.Event.Data type data.

External Module References

None.

Sample

The following XML sample illustrates a Rule element that queries WMI to see whether any of the targeted service instances are in a stop state. If the instance is in a stopped state and the publisher name is "Microsoft Sample Publisher," the rule generates an alert.


<Rule ID="ServiceStoppedEventRule" Enabled="true" Target="Microsoft.Sample.WindowsService" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
  <Category>Custom</Category>
  <DataSources>
    <DataSource ID="WMIDS" TypeID="Windows!Microsoft.Windows.WmiProvider.EventProvider">
      <NameSpace>root\cimv2</NameSpace>
      <Query>SELECT * FROM __InstanceOperationEvent WITHIN 60 WHERE Name='$Target/Property[Type="Microsoft.Sample.WindowsService"]/Name$' AND TargetInstance ISA 'Win32_Service' AND TargetInstance.State = 'Stopped'</Query>
      <Frequency>5000</Frequency>
      <Expression>
        <SimpleExpression>
          <ValueExpression>
            <XPathQuery Type="String">PublisherName</XPathQuery>
          </ValueExpression>
          <Operator>Equal</Operator>
          <ValueExpression>
            <Value Type="UnsignedInteger">Microsoft Sample Publisher</Value>
          </ValueExpression>
        </SimpleExpression>
      </Expression>
    </DataSource>
  </DataSources>
  <WriteActions>
    <WriteAction ID="alert" TypeID="Health!System.Health.GenerateAlert">
      <AlertMessageId>$MPElement[Name="Microsoft.ModuleSamples.Alerts.AlertMessage"]$</AlertMessageId>
      <Priority>0</Priority>
      <Severity>0</Severity>
    </WriteAction>
  </WriteActions>
</Rule>

Information

   

Module Type

DataSourceModuleType

Input Type

None

Output Type

System.Event.Data

Implementation

Composite

Library

Microsoft.Windows.Library