Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Custom SWQL query in NTA for packets per second?

Hello,

I was wondering if it's possible to setup a query in SWQL Studio to look for flows that have a certain number of packets per second. I've looked through Orion.Netflow.Flows (and Orion.Netflow for that matter) but wasn't able to find anything obvious. Essentially what I'm trying to accomplish is if, let's say, IP address x.x.x.x sends 1000 packets per second to internal IP y.y.y.y, trigger an alert. Apologies if this question is too vague but if anyone has ideas on where I can start it'd be greatly appreciated.

Thanks.

Find more posts tagged with

Accepted answers

All comments

KMSigma.SWI

Nope - what you've provided is sufficient, but I'd like to know the reason for it. Do you want this for an alert, to put on a dashboard, to use as part of an alert? I'm asking because that'll greatly affect the entities and/or the query structure.

mcohen

Thanks for your reply. This would be for an alert, we already have some alerts that send emails to our team. Those are just setup in the Alert Manager though. I'm looking for something similar, if any source IP on the Internet exceeds a certain packets per second threshold, trigger an alert and sent an email to a specific distro.

Thanks again.

KMSigma.SWI

Oooh. I like this. It might be tricky, but I can work towards something for you. Can you give me a bit? I'll need to mock up a thing or three in my lab to give it a valid test.

And just to cover all the bases, a flow alert won't work for your specific situation?

mcohen

Sure thing, take your time. I appreciate the assistance. No a flow alert won't suffice unfortunately, we're looking for something a bit more specific. I was just speaking with my colleague and to clarify a bit: an alarm should be generated if a single unique IP address from the Internet creates connections to 20 different internal servers in 10 seconds. The values are arbitrary in this case but just trying to illustrate better.

Although the packets per second threshold alarm would be useful as well.

Thanks!