Multiple Process Monitoring/Alerting

A couple of people have asked how to use the Windows Performance Counter monitoring for multiple processes in a single rule, which allows wildcard on Object, but not on Instance.  There are a couple of blog posts on multiple services, but I couldn’t find anything on processes.

The regular Windows Performance Counter provider actually does not work with multiple processes, but the WMI performance provider does. 

In the UI, you can create a unit monitor

WMI Performance Counters -> Static Thresholds -> Single Threshold -> Simple Threshold

In the authoring console, the path is slightly different to get to the same MonitorType

WMI Performance Counters -> Single Threshold -> Simple Threshold

You can obviously choose other types.

The available MonitorTypes that will handle multiple process instances without scripting are:

Windows!Microsoft.Windows.WmiBased.Performance.ThresholdMonitorType Single threshold Monitor Type
Windows!Microsoft.Windows.WmiBased.Performance.DoubleThreshold 3-state monitor (under, between, over thresholds)
Windows!Microsoft.Windows.WmiBased.Performance.DeltaThreshold For rate-of-change monitoring
Windows!Microsoft.Windows.WmiBased.Performance.AverageThreshold Moving average changes, useful for monitoring stocks
Windows!Microsoft.Windows.WmiBased.Performance.ConsecutiveSamplesThreshold n consecutive samples over/under y threshold

What’s common to all of these is the WMI query and the mapping of WMI results to performance data.

WMI Namespace = Root\cimv2
Query = Select * from Win32_PerfFormattedData_PerfProc_Process where Name like "DLLHost%"

Will give you performance data for *each* instance of DLLHost.  When you run these through the mapper, they "fan out" so that each instance of DLLHost’s performance data gets processed through the threshold filtering.  To find out the WMI name of the performance counter you want, you can test the WMI query in wbemtest (just run wbemtest from a command line, connect to Root\Cimv2, click the Query button, paste the query, and click Apply).  For example, "% Processor Time" as shown in perfmon is "PercentProcessorTime" in WMI.  Make sure you are using the WMI name.

The mapper transforms the WMI data into the equivalent of "native" performance data.  Downstream modules such as ExpressionFilters or Alert write actions can’t tell the difference between data run through a mapper and data that came straight from Windows Performance Counter data sources.  You tell the mapper what you want it to look like.  For example, most of these counters would come from


Instance = <Process Name>

Counter = <counter, such as "% Processor Time">

Value = <what you see in the perfmon graph>

So to do this for our example, the mapper would look as follows:

ObjectName = Process
CounterName = % Processor Time
InstanceName = $Data/Property[@Name=’Name’]$
Value = $Data/Property[@Name=’PercentProcessorTime’]$

Since the name and value are returned in the WMI results, we use the $Data…$ macro and the WMI names for the fields.

Once you’re past this step, everything else should be pretty familiar with regard to setting thresholds, averages, etc.

Tags: Authoring; WMI; Windows Process; Wildcard; Operations Manager 2007

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Multiple Process Monitoring/Alerting

  1. Unknown says:

    Just keep in mind that this will not work for Windows 2000 OS since WMI on Windows  2000 computers does not support "Like" statement. I guess not many people still have those around, but still.. I run into a few cases like this

  2. redstone liu says:

    Hi Mike, i have a question: i have a rule to collect data from database and use the mapper to save the data it collected to the performance counter. but the data in the database has 1 hour latency from the real time. That is means in the performance view, the data for the 17:00 is actual the value for 14:00. Do you know how to set the performance view to substract this latency?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s