Hi All need help setting up a report for triggered alerts history for past 1 day but only on for the two alerts below
Thanks in advance
What Information do you need in the report? Here's something that I think is close, its SWQL.
SELECT AH.AlertObjects.AlertConfigurations.DisplayName as [Alert Name], AH.AlertHistoryID, AH.EventType, AH.Message, AH.TimeStamp, AH.AlertObjects.EntityCaption, AH.AlertObjects.EntityDetailsUrl, AH.AlertObjects.RelatedNodeCaption, AH.AlertObjects.RelatedNodeDetailsUrlFROM Orion.AlertHistory AHWhere (AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)' ) and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hours and AH.EventType = 0 -- Event for alert triggerOrder By AH.TimeStamp DESC
I had to edit it, bad copy/paste
Just how many times over the past 24 hours the alert triggered
If you want the count, then try:
SELECT Count( AH.AlertHistoryID) as [Alerts Triggered]FROM Orion.AlertHistory AHWhere (AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)' ) and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hours and AH.EventType = 0 -- Event for alert trigger
Need to add also the following alert name -
Not sure on swql structure for this
SELECT AH.AlertObjects.AlertConfigurations.DisplayName, Count( AH.AlertHistoryID) as [Alerts Triggered]FROM Orion.AlertHistory AHWhere (AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)' ) and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hours and AH.EventType = 0 -- Event for alert triggerGroup By AH.AlertObjects.AlertConfigurations.DisplayName
Is this what you mean? Group counts by name
sorry i didnt make it clear enough i need the following alert added into the swql as well
Meraki Device Interface Down (P3)
so basically, it will report on 3 alerts
I missed the word interface, thought it was the same, sorry
SELECT AH.AlertObjects.AlertConfigurations.DisplayName, Count( AH.AlertHistoryID) as [Alerts Triggered]FROM Orion.AlertHistory AHWhere (AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Interface Down (P3)' ) and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hours and AH.EventType = 0 -- Event for alert triggerGroup By AH.AlertObjects.AlertConfigurations.DisplayName
anyway we can add the alert Count to the following swql - Count( AH.AlertHistoryID) as [Alerts Triggered]
SELECT AH.AlertObjects.AlertConfigurations.DisplayName as [Alert Name], AH.AlertHistoryID, AH.EventType, AH.Message, AH.TimeStamp, AH.AlertObjects.EntityCaption, AH.AlertObjects.EntityDetailsUrl, AH.AlertObjects.RelatedNodeCaption, AH.AlertObjects.RelatedNodeDetailsUrlFROM Orion.AlertHistory AHWhere (AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)' or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Interface Down (P3)' ) and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hours and AH.EventType = 0 -- Event for alert triggerOrder By AH.TimeStamp DESC
thanks
Try adding the Count as another property.
SELECTAH.AlertObjects.AlertConfigurations.DisplayName as [Alert Name],Count (AH.AlertHistoryID) as [Alerts Triggered],AH.AlertHistoryID,AH.EventType,AH.Message,AH.TimeStamp,AH.AlertObjects.EntityCaption,AH.AlertObjects.EntityDetailsUrl,AH.AlertObjects.RelatedNodeCaption,AH.AlertObjects.RelatedNodeDetailsUrlFROM Orion.AlertHistory AHWhere(AH.AlertObjects.AlertConfigurations.DisplayName like 'Cisco Store Router Down'or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Down (P3)'or AH.AlertObjects.AlertConfigurations.DisplayName like 'Meraki Device Interface Down (P3)' )and HOURDIFF(AH.TimeStamp , GetDate()) < 24 -- last day in hoursand AH.EventType = 0 -- Event for alert triggerOrder By AH.TimeStamp DESC
i have tried adding the alert triggered table to the report, but it is only picking up one of the alert names instead of 3
Here is another query. I commented the AlertID out, it may be easier to use that in the future.
SELECT COUNT([AH].AlertHistoryID) AS [Alerts Triggered] , [AH].AlertObjects.AlertConfigurations.DisplayName as [Alert Name]-- , [AH].AlertObjects.AlertConfigurations.AlertID , [AH].EventType , [AH].Message , [AH].TimeStamp , [AH].AlertObjects.EntityCaption , [AH].AlertObjects.EntityDetailsUrl , [AH].AlertObjects.RelatedNodeCaption , [AH].AlertObjects.RelatedNodeDetailsUrlFROM Orion.AlertHistory AS [AH]WHERE [AH].EventType = 0 AND [AH].TimeStamp >= ADDHOUR(-24,GETDATE())-- AND [AH].AlertObjects.AlertConfigurations.AlertID in (584, 555, 582, 504, 139) AND [AH].AlertObjects.AlertConfigurations.DisplayName in ('Cisco Store Router Down', 'Meraki Device Down (P3)', 'Meraki Device Interface Down (P3)')GROUP BY [AH].MessageORDER BY [AH].TimeStamp DESC
Are you expecting something like this?
Try this in your Custom Table resource (SQL Query, not SWQL)
SELECTName 'Alert Name',EntityCaption 'Object of Alert',COUNT(1) 'Times Alert Triggered'FROM AlertHistoryViewWHERE EventTypeWord = 'Triggered' AND ((Name = 'Cisco Store Router Down') OR (Name = 'Meraki Device Down (P3)') OR (Name = 'Meraki Device Interface Down (P3)))AND TimeStamp > (GETDATE()-1)GROUP BY Name, EntityCaption
