Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Repeated Alert Throttling & Exclusion Filtering (Possible Feature Request)

Hi folks, unless someone can suggest a way to do this as the software currently stands consider this a feature request.

I'd like the syslog and trap viewers alert functionality to be able to automatically throttle email alerting of repeated events after a certain threshold has been reached.

I realise I can currently set a rule that will act against messages matching a patterns or regex's that will only trigger an action after a certain threshold is reached but I this is not the exact behaviour I require. I want to see all the individual messages until a threshold has been reached and then only receive summaries afterwards i.e.

"message <foo> was received from host <bar> ten times in the last hour."

This leads me onto something else, I would want this logic applying to most but not all messages but syslog and trap viewers' current filtering logic only allows one to explicitly include based on a pattern or regex. I'd like (in this instance and others) to be able to explicitly exclude hosts, message, etc.

Find more posts tagged with

Accepted answers

All comments

ecklerwr1

Sound like something similar to what the windows event log does after an event repeats for so long... they are suppressed for x amount of time.

GaryP

Yeah, it's also worth noting that I can't differentiate between messages coming from different nodes with the current functionality, either. If I set up a threshold for PORT_SECURITY-2-PSECURE_VIOLATION, for example, that triggers after 10 messages it can't differentiate between 8 messages from one host and 2 from another.

joepoutre

I know this is 6 years later, but we have this requirement too, and the Trap Viewer hasn't changed.

We need to throttle traps, but based on the device name, so that if we have two devices send the same type of trap, we don't accidently mask the traps from the second device by throttling due to a flood of traps from the first device.