This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LA Log Volume?

Long time Orion user, but first time dealing with LA specifically.  I realize it's licensed per log source, not by log volume, but it seems like there should still be a report, or ideally a widget showing the log volume?  If there is one, I'm not finding it nor am I getting much from Google.  Is this data available somewhere, short of just checking the size of the database?

  • Are you interested in overall volume or broken down by node? There is no default view or report to cover that but if you are at all familiar with creating custom widgets and reports using SQL / SWQL, you can find what you need in the LogEntry and LogEntryMessageSource tables. I believe if you join those together on the SourceID you should be able to get counts both overall and by node.

  • Thanks for the response.  I was hoping to avoid the custom SQL/SWQL route, but could do that if necessary.

    Ideally volume by node to identify "noisy" devices and total volume. Unless I'm blind, I don't see the log/event database total size reported anywhere either.  Database manager/statistics only reports the main Orion database info as far as I can see.  So right now in my test case, it's reporting a 4.3Gb DB size when in fact the event database is 90Gb.  In general it seems a bit odd to have a logging product that doesn't give you any details regarding the volume of logs it's getting.

  • I've used this SQL query before to find "top talkers" for sending traps/syslog.

    SELECT lems.Caption AS [Node Name], lems.IPAddress AS [IP Address], lems.Vendor, lems.MachineType AS [Machine Type], COUNT(le.logentrymessagesourceid) AS [Message Count]
    FROM [SolarWindsOrionLog].[dbo].[OrionLog_LogEntryMessageSource] lems
    INNER JOIN [SolarWindsOrionLog].[dbo].[OrionLog_LogEntry] le ON le.LogEntryMessageSourceID = lems.LogEntryMessageSourceID
    GROUP BY lems.Caption, lems.IPAddress, lems.Vendor, lems.MachineType
    ORDER BY COUNT(le.logentrymessagesourceid) DESC

    You can create a Report with a Custom Table, or add a Custom Table resource to a view and use Custom SQL as the data source.

    Here's a screenshot from running it when showing a client what was filling up their log disk.

    image.png

    You could probably adjust the SQL to include the message type (syslog/trap).

    On another note; there's probably a hiccup somewhere in converting the Report Builder to a SWQL query but when I tried to create the above report using the GUI (same columns), the report would time out. The SQL query ran in ~3 seconds, so I left it as a SQL datasource.