13 Replies Latest reply on Jul 11, 2014 8:22 AM by anitazuri

    Too Many Emails

    anitazuri


      Hello,

       

      I am trying to monitor for when an event is triggered.  I have so far created a Template using the wizard.  As a result I have the Template assigned to the node that I want to monitor and within that template there is an  Application Monitor and a component monitor; the component monitor is using 'Windows Event Log Monitor' and I have configured this for gpupdate event 1501 etc......

       

      In Advanced Alerts, settings aer as follows:-

      General tab: name of alert - Check alert every 5 mins

      Trigger Condition - Application Status is equal to Critical - trigger the action when condition lasts for more than 1 second

      Reset Condition - reset when trigger conditions are no longer true.

      Alert Suppression - default

      Time of Day - all days from 12:00am to 11:59pm

      Trigger Actions - I have set this up to email myself with a message - SMTP info is correct - Execute every day of the week (the execute between hours is unticked) - Alert Escalation is all greyed out; nothing is ticked.

      Reset Actions - nothing set in here

      Alert Sharing - I've added some vairiables.

       

      The problem I have is that the alert seems to be working but I'm getting close to 100 emails and I have no clue why.  I'm thinking it could be something to do with the logic in the trigger alert as I've tried variations and received no email.  I'm very new to this so I'm struggling with the solution.  I log on to the server that is being monitored then at a command prompt I type 'gpupdate' this instantly pops up in the system log and an email is triggered but lots and lots.... I feel so near yet so far :-|

       

      Any help would be much appreciated.

      Anita Roberts

        • Re: Too Many Emails
          HolyGuacamole

          How many servers have you assigned this template to?

          What duration are we talking about for these 100 emails?

           

          The Alert itself is straightforward and is one that is used routinely. So, the alert itself is fine. You will need to look at your component definitions to see what determines the status of a component monitors as Critical (and thereby the application monitors). Can you export your application template from Settings > SAM Templates > Manage Templates as well as the Alert from the Advanced Alert Manager, and attach to the reply?

          1 of 1 people found this helpful
            • Re: Re: Too Many Emails
              anitazuri

              Hello HolyGuacamole,

               

              I have assigned the template to one server only at the moment. I think I'm getting emails every time there is a 'poll' which is every 10 mins.

               

              Please excuse my naming 'ZZ_P_Spoolertest_now_GPupdate'! I was testing the print spooler event originally but changed it because there were too many events under the 'Service Control Mananger' umberella and I thought this might have had something to do with the amount of emails.

               

              Did I mention that I was getting emails through even when I hadn't run the 'gpupdate' command on the server. So, as soon as I enable this alert I receive close to 100 emails.... I thought it may be related to the logic of the trigger action, but as you say maybe I have fluffed something when setting up the APP/Component Monitors! As far as I know I've followed instructions from Solarwinds online help but I'm obviously missing something.

               

              Thanks very much......

              Anita

                • Re: Too Many Emails
                  scotthill

                  Do you have automatic thresholds in place? It is possible that the threshold is way too low causing the alert to trigger.

                  • Re: Too Many Emails
                    HolyGuacamole

                    Your component definition says

                    if SAM finds 1 Event ID 1501 in the System log w/ Log source of GroupPolicy in the last 1.5 polling intervals (7.5 minutes), mark the Component Monitor as Down,

                     

                    when that happens, your Application Monitor status would also be marked as Down. So, right now everything is working as defined.

                     

                    What is your objective here? When you do consider it to be a problem with your application? Do you want to be alerted only when there x such events over y minutes? There are plenty of options based on what your objective is

                     

                    Your statistic for this component can be based on event count

                     

                    SAM-Event-Monitor-Count.png

                     

                    The component status can be evaluated on this count based on thresholds for a single poll or sustained thresholds

                     

                    SAM-Status-Options.png

                     

                    You can read about sustained thresholds here

                    Server & Application Monitor 6.1 - New Feature Overview and Beta Sign-Up

                     

                    You will need to decide the criteria here and define the component monitor accordingly. Your alert is fine. No need to change anything there

                    1 of 1 people found this helpful
                      • Re: Too Many Emails
                        anitazuri


                        Hello Guys,

                         

                        Thanks for your replies they helped me a lot in terms of thinking about the process more and the places where I needed to delve further.  I have since discovered that I seem to be receiving alerts from a few different servers, even though my trigger alert states a particular node name!  Also, when I untick the advanced alert I am still receiving alerts!

                         

                        I noticed that the Component Monitor name in the Template that I created was 'Windows Event Log Monitor' so I wasn't sure if this was the reason I was receiving 'Event Alerts' for many different servers. I decided to delete that template and set up the event monitoring again, this time I clicked on the Node, then 'Real-Time Event Log Monitor' and set up the monitoring from there, unfortunately I'm still receiving alerts for components on other servers.  I'ts driving me mad, obviously my logic is ski-wiff somewhere.

                         

                        I'm testing using 'gpupdate' because we wasnt to monitor events that are failing on one of our bespoke imaging software servers, everytime they fail we have lost processing time in the middle East.  We can't test the failure of these events until they actually fail apparently, so I was asked to test against 'gpupdate'.  Everytime I type 'gpupdate' onto the test server it shows up in the event log and an email is sent, however I still have the problem of all the other things coming through and I don't understand how this is possible unless what I have created is linked to something else........

                          • Re: Too Many Emails
                            Syed H

                            Hi Anita,

                             

                            Please select a simple alerting mechanism as below. Hopefully this would resolve the issue.

                            . In advanced alert please add these condition

                             

                            1. Application name is equal to <application name>

                            2. Component status is equal to down

                             

                             

                            increase the alert trigger time to 6 mins.

                             

                            Hopefully this would resolve the issue.

                             

                            thanks.

                            Syed

                              • Re: Too Many Emails
                                anitazuri

                                Hi Syed,

                                 

                                Thanks, I tried what you suggested but I'm still geting emails/alerts for other servers that are alerting for other events and services.  quite bizzare, I thought if you set up monitoring for a unique event on one particular server that the alert should only look for those consitions.  I'm wondering if the guy who was working on this before me has put some generic template in somewhere.

                                 

                                thanks again

                                Anita

                                  • Re: Too Many Emails
                                    Syed H

                                    Hi Anita,

                                     

                                    It seems that you have multiple event log alert templates enabled, please check for the same in advanced alert. You can also check for trigger queries in Database Manager---> Netperfmon---> alert definitions table

                                     

                                    Here you can check for all enabled alerts.

                                    please check if there any similar conditions for event log alerts in trigger queries.

                                     

                                    Thanks,

                                    Syed

                                      • Re: Too Many Emails
                                        anitazuri

                                        Hello Syed,

                                         

                                        I found the database which was helpful and I've done some tidying up around the system.  I am now receiving one alert when I run 'gpupdate' on the specific server.  The problem I have is it doesn't work with the advanced alert I've created but it works with the standard 'alert me when an application goes down'.

                                         

                                        As a test I am going to change the alert that I created to mirror the one that works.  I don'nt undertand why the working alert works for my server becuase in the trigger condition it states:

                                                                                                    Node Status is not equal to down

                                                                                                    Application Status is equal to Down

                                        Whereas my alert states:

                                                                                                    Node Name is equal to SQLL1

                                                                                                    Application name is equal to ZZ_gpupdate

                                                                                                    Component staus is equal to critical (I can't seem to select down at this point)

                                         

                                        I'm very new to this, I've had no involvment in setting the system up and I've not done any courses; I'm learning as I go. I think I need to spend a few weekends reading teh manuals! Thanks for your help.

                                         

                                         

                                        Anita

                                          • Re: Too Many Emails
                                            HolyGuacamole

                                            hi Anita,

                                            If you are evaluating the software, please reach out to your sales contact to arrange for engineering assistance. If you have already purchased the software, please open a support ticket

                                              • Re: Too Many Emails
                                                anitazuri

                                                Hello, I'm not evaluating the software, I am trying to set up a variety of crucial business alerts that will alert the support team via email when a particular events happen on a particular server.  I don't understand why it works when I select one of the 'out of the box' advanced alerts, but when I set up my own using the same logic as the 'out of the box' alert I recieve 30+ emails for many other servers as well as the alert I actually want.

                                                 

                                                Apparetnly Solarwinds was bought by the company many years ago so don't think we would still be entitled to support; I will check this out with someone here.

                                                Thanks

                                                Anita

                                              • Re: Too Many Emails
                                                Syed H

                                                Hi Anita,

                                                 

                                                Please create an alert with below conditions if that helps

                                                 

                                                NODE status is NOT equal to down AND

                                                ApplicationName is equal to  AND

                                                Component status is equal to down

                                                 

                                                Thanks,

                                                Syed

                                                  • Re: Too Many Emails
                                                    anitazuri

                                                    I seem to have found a solution.  I have copied one of the general 'out of the box' advanced alerts, renamed it and added variables into the email section.  This seems to work as I no linger receive dozens of emails.  I now receive two emails, one from the 'alert me when an application goes down' alert and one from the copy that I've configured with specific details in an email to myself.  I'm not sure if there is a better way but it was driving me mad so will settle for this until I can spend more time learning about Solarwinds.

                                                     

                                                    Thank you all so much for your help and being patient :-/

                                                    Anita