Logs or Powershell for tracking down a workflow?
LeeJones
Member IT Monkey ✭
In IR history, I notice that the support group will be changed by a workflow. How do I track down why? Is there a place to view what workflow is triggered and why?
When comments are sent to an end user, my IR seems to respond by changing the support group. I could probably fix it if I could tell what condition and template triggers the response. Any clues?
0
Best Answer
-
Justin_Workman
Cireson Support Super IT Monkey ✭✭✭✭✭
@LeeJones - This script should show you what workflows finished within 2 minutes of your property change, this might help identify what workflow was the culprit:
import-module smlets $scsmServer = "" $propChangeTime = get-date ( '7-16-2019 15:01') $workflows = Get-SCSMWorkflowStatus -ComputerName $scsmServer foreach ($wf in $workflows) { $status = $wf.GetJobStatus() foreach ($s in $status) { $ts = (New-TimeSpan -Start (get-date $s.timefinished) -End $propChangeTime) if (($ts.TotalMinutes -lt 2) -and ($ts.TotalMinutes -gt -2)) { $wf.Name + " finished at " + $s.timefinished break } } }Make sure you add your server and be aware that it may take a while. It took mine about 15 minutes to run.
1
Answers
It sounds like it might be the Exchange Connector applying a template.
That makes sense, but honestly I didn't set up the Exchange Connector.
The console history shows my workflow service account, which I think is used for Exchange. I removed the "support group" setting from the Incident Template... but I'm curious how I can "know" that this was what's what.
Maybe correlate workflow status(Administration/Workflows/Status) run times with the property change?
Are Orchestrator or SMA used in this environment?
I've been poking around in here, but with 108 workflows, it's "needle in the haystack" time. And every one that I've checked has 0 instances (which I did not expect).
:-$ it's new, I think we have SCORCH installed but not configured? I don't think we're doing much with SMA but we were talking about building some runbooks (we don't have an internal SME, I'm what I've got).
@LeeJones - This script should show you what workflows finished within 2 minutes of your property change, this might help identify what workflow was the culprit:
import-module smlets $scsmServer = "" $propChangeTime = get-date ( '7-16-2019 15:01') $workflows = Get-SCSMWorkflowStatus -ComputerName $scsmServer foreach ($wf in $workflows) { $status = $wf.GetJobStatus() foreach ($s in $status) { $ts = (New-TimeSpan -Start (get-date $s.timefinished) -End $propChangeTime) if (($ts.TotalMinutes -lt 2) -and ($ts.TotalMinutes -gt -2)) { $wf.Name + " finished at " + $s.timefinished break } } }Make sure you add your server and be aware that it may take a while. It took mine about 15 minutes to run.
I'm guessing that a workflow triggering on a new Analyst Comment and applying a template with the support group "Help Desk".
You could pinpoint this by getting the ID of the TierQueue:
$tier = (Get-SCSMEnumeration | ? {$_.DisplayName -eq "Help Desk"}).IdThen find the template(s) which set this TierQueue:
$template = (Get-SCSMObjectTemplate | ? {$_.PropertyCollection.MixedValue -eq $tier}).NameAnd then try to look through workflows, which applies this template:
Get-SCSMWorkflow | ? {$_.Template -eq $template}@Justin_Workman, here's what I got:
Microsoft.EnterpriseManagement.ServiceManager.Connector.SCO.RunbookMonitorRule_e6b1b34ee95642419900ec013cdf7f1c finished at 07/16/2019 15:01:00
@Konstantin_Slavin-Bo, I couldn't find anything, but maybe only because I already messed with the Incident Template...?
Maybe your runbook applied a template or set the value? That's the Orchestrator Runnbook running.
I'm just going to accept that I need to either hire a SME or do a lot of training. :-/ It isn't happening now, not since July 16th...
I just wanted to jump in and point out how incredibly useful those last two lines of powershell are for so many different purposes. Sometimes the simple things are the most helpful!