Is it possible to do the above? For example, let's say I want to know if a service stops 3 or more times in 24 hours. Is there a way to write an alert for this?
Great point!!!
Updated:
join events on events.netobjectid = APM_AlertsAndReportsData.ComponentID --match your message here where events.message like 'netpermon event log:%'--only look at component monitor eventsand events.netobjecttype = 'AM' --look over the last 1 day and events.eventtime > (getdate()-1) group by APM_AlertsAndReportsData.ComponentID, APM_AlertsAndReportsData.ComponentName --find all components with >= 3 events having count(eventid) >= 3
Quick bump for the morning crowd. Any ideas?
Just a real quick idea, you could theoretically write a normal component monitor alert that writes to something like the NetPerfMon event log, then create another alert that fires when you have more than X events in the log in the last Y time.
-ZackM
Loop1 Systems: SolarWinds Training and Professional Services
That's a brilliant idea, actually. I don't see an option to trigger alerts based on contents of the NetPerfMon event log, however. Is that something I would have to write with custom SQL/SWQL?
Here you go, just edit the message string to match whatever you write with your first alert. This will look for 3+ events over the last 1 day
join events on events.netobjectid = APM_AlertsAndReportsData.ComponentID--match your message herewhere events.message like 'netpermon event log:%'--look over the last 1 dayand events.eventtime > (getdate()-1)group by APM_AlertsAndReportsData.ComponentID, APM_AlertsAndReportsData.ComponentName--find all components with >= 3 eventshaving count(eventid) >= 3
Alerts have a native feature that basically says "If X occurs for more than T minutes" then an alert will trigger.However, if you're concerned on how many times it happens, most likely one good example is device X rebooted X times, then you probably need an advance SQL query for that.
Having just built a SWQL events trigger today may I recommend you also consider seeing if the netobjecttype field has a value for these events? If so then you should include that in the query to make the filtering faster.
Does sql evaluate the where clauses in order? If so having that first might return fewer results into the wildcard message search. Neither are indexed so I don't know if it would make any difference.
That's a good question, and the answer is (generally) "it depends"
Without having anything indexed, it's really up to the optimizer to figure that out for us.
Here's a quick little explanation I found years ago and bookmarked just to reference these questions.
https://stackoverflow.com/questions/484135/select-where-clause-evaluation-order
