I am looking at a Netflow predefined alerting flow used to set threshold and alerting for bandwidth utilization by applications on a selected interface. I have a Netflow dashboard setup to show only specific applications BW utilization on a selected VPN interface in our network. I want to add monitoring and alerting for the individual user IPs on that network based on Bandwidth utilization. There is one existing alert that looks at application specific bandwidth utilization. I want to modify the predefined query on that to look at user IPs instead of Application based utilization. Here is the SWQL query it is currently having.
SELECT Interfaces.Uri, Interfaces.DisplayName FROM Orion.NPM.Interfaces AS Interfaces
INNER JOIN
(
SELECT InterfaceID
FROM Orion.Netflow.FlowsByInterface
WHERE
(TimeStamp >= AddMinute(-5, DateTrunc('minute', GetUtcDate())) AND TimeStamp <= AddMinute(-1, DateTrunc('minute', GetUtcDate())))
AND InterfaceID IN (4697)
AND (ApplicationID IN (106235,104310,104312) AND ApplicationID != 0)
GROUP BY InterfaceID
HAVING ((SUM(IngressBytes)*8) / (5*60)) > 50000000
) AS Flows
ON Flows.InterfaceID = Interfaces.InterfaceID
Is there a way to modify this query to look at the IP address subnet in our solarwinds IPAM or IP addresses objects showing up in the top 50 utilization dashboard, for setting theshold and alerting based on user IP bandwidth utilization instead of application specific bandwidth utilization.
