Hello Community -
Looking for direction or ideas on how to create an alert on Solarwinds NPM that's customized for a specific result:
Currently there's an out-of-the-box alert - "Alert when a rogue mac address appears on network" that detects and alerts on MAC addresses discovered on our Cisco Cat and Nexus switches. However the Nexus ARP table does not refresh often causing stale\bad data to be flagged. The retention period on the Nexus ARP table seems to be at least a month. After discussing with Cisco's tech support, the retention period is not configurable.
Possible solution is to adjust how far back the alerts should work with to determine an alert. The trigger conditions unfortunately do not seem to present any variables to use to configure the alert to only recognize MACs whose last update on the same interface is 7 days or less. This will reduce the amount of false positives. After reaching out to Solarwinds support, I was directed by them to Thwack community for possible assistance.in creating a custom sql that can produce the desired results.
Any assistance would be much appreciated.
Thanks in advance
