I have the following SWQL alert trigger condition when there are a certain number of alerts on a particular device. I need to create a reset condition so that when the number of alerts on that device go back down to zero, the SWQL alert clears. The query doesn't return a value for zero rows, so I don't know how to reset the alert. This cannot be manually closed by company policy.
Trigger Condition:
SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes
LEFT JOIN
(SELECT COUNT(*) as AlertsPer, AlertActive.TriggeredMessage AS Message, AlertObjects.EntityCaption, AlertObjects.RelatedNodeID AS TheNode
FROM Orion.AlertObjects
INNER JOIN Orion.AlertActive (nolock=true) AlertActive ON AlertObjects.AlertObjectID=AlertActive.AlertObjectID
INNER JOIN Orion.AlertConfigurations (nolock=true) AlertConfigurations ON AlertConfigurations.AlertID=AlertObjects.AlertID
Where (Message like '%power%' or Message like '%line card%' or Message like '%module%') and Message not like '%1 or more active%'
group by TheNode
HAVING COUNT(*) >= 1)
AS a ON a.TheNode=Nodes.NodeID
Where Nodes.Vendor = 'Cisco' and AlertsPer >= 1
This Reset Condition works with 1 alert but not multiple:
SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes
Left Join
(SELECT COUNT(*) as AlertsPer, AlertActive.TriggeredMessage AS Message, AlertObjects.EntityCaption, AlertObjects.RelatedNodeID AS TheNode
FROM Orion.AlertObjects
INNER JOIN Orion.AlertActive (nolock=true) AlertActive ON AlertObjects.AlertObjectID=AlertActive.AlertObjectID
INNER JOIN Orion.AlertConfigurations (nolock=true) AlertConfigurations ON AlertConfigurations.AlertID=AlertObjects.AlertID
Where Message like '%power%' or Message like '%line card%' or Message like '%module%' or Message like '%1 or more active%'
group by TheNode
HAVING COUNT(*) = 1)
AS a ON a.TheNode=Nodes.NodeID
Where Message like '%1 or more active%' and Nodes.Vendor = 'Cisco' and AlertsPer = 1
I've also tried setting the COUNT or AlertsPer to 0, but that doesn't work either.
