In the documentation of the Alerts app it says:

“In the Alert Status pane, you can view the most recent alerts, filter them by severity or date, drill down to the individual devices that triggered an alert, if any, touch the queries underlying the alert; and more.”

I couldn’t see how to drill down to the underlying query after clicking on the device name as the documentation goes on to suggest. So my questions are these:

1) Can a custom PQL alert generate anything for the alert message?

2) Can we see the queries the built-in alerts are using?

and specific to the issue I am having now:

I used the built in “Windows Automatic Service Not Running” alert which works fine except I can’t exclude certain services that are ‘Auto’ are ‘Stopped’ and this is normal, like ‘Software Protection’ and ‘Performance Logs and Alerts’.

So I wrote my own custom alert which excluded those services, but does several things differently compared to the built-in alert that I don’t like.

1) There is no message indicating what services are the problem.
2) The built-in alert generates 1 alert per service, whereas my custom alert generates 1 alert per device.

I’m probably missing something here, but don’t I have to use a FROM path of /network/device to be able to have my first column be the device id (which is how the alert gets tied to the device)? And, if this is the case, does this limit my ability to create multiple alerts per device (one for each service in that condition)?

bump

I agree. Many of the servers we monitor have services set to Automatic, but that is only because at server startup they launch, do their job, then stop. This normal behavior.

However, GotoManage consistently bugs me that some Windows Automatic Services are not running - I know already!!! :P

It would be nice to implement some sort of global filter. Once we get an alert that “Service XYZABC is not running” and it isn’t supposed to be, we can adjust the Windows Automatic Services alert adding a filter to stop alerting on exactly “XYZABC” from here on in — be nice to have it cover all companies too. Once I’ve discovered it on ClientA, I don’t want to have to go through B, C, D, …Z and configure them too.

I DO want to know when the other services are not running.