Traps setup issue


NPM 2020.2 in use and i am trying to code Advanced SQL trap alerts. But the trap database table contains no data. I can see the traps coming in via log viewer. The Trap database statistics show no rows of data also. 

Any Ideas?

Sorry i am a newbie on a steep learning curve

Thanks in advance

  • On 2020.2 the old log viewer still opens but as you say, shows no data.

    Solarwinds deprecated this with the latest version so it can only be done from log viewer - which by their own admission, is far from complete and far from providing the functionality of the trap viewer.

    My cynical take on this is they've removed a working aspect and are now pushing their all new "log analyzer" <sic> Yes, there's a free version, but for full live functionality you need to start paying. And licensing is, from my view, horrendously expensive. Just my 2p mind.

  • Hi   

    I have been successful in creating alerts from the log viewer as as per your link. What I am also trying to achieve is alert trigger delay filter

    Active alarm trap is received and processed (As Below)


    Trigger Condition 


    What i am unable to do is create a 1min delay using this method. I only want alerts for  alarms that is active for  > 1 min.

    The alarm delay conditions disappears when Log analyzer alert message event is selected as a trigger. Online reading points me towards using custom SQL to achieve this.

    I have traps coming in and working.


    But the trap database file is empty for SQL 



    Thanks in advance


  • The way the Analyzer alert integration works is your basically creating an event-driven alert. So LA triggers an event and your alert is looking for that event, there isn't an option to add a delay in this scenario. The only workaround for this would be to write a Custom SWQL/SQL Alert to reference you conditions directly from the Log Analyzer database.

  • Hi  ,

    Would to be so kind and point me to the correct SQL database table as the traps one is empty



  • I'd build it out in SWQL. Not sure exactly how I'd build an alert with this yet (as I've not done it myself) but this would be some SWQL to get you going looking at the syslogs from SolarWinds Orion Log Viewer (LV) or Log Analyzer (LA). I've always used the built-in functionality. Might require some crafty SWQL work to achieve what you're looking for.. as other folks have mentioned syslogs are really event driven in SolarWinds.

    SELECT TOP 1000 n.Caption, n.MachineType, ms.IPAddress AS SourceIP, le.LogEntryID, le.LogEntryTypeID, le.LogEntryLevelID, le.NodeID, le.MessageSourceID, le.DateTime, le.MessageDateTime, le.Message
    FROM Orion.OLM.LogEntry AS le
    LEFT JOIN Orion.Nodes AS n
    ON le.NodeID = n.NodeID
    LEFT JOIN Orion.OLM.MessageSources AS ms
    ON le.MessageSourceID = ms.MessageSourceID

    This is just a start... there's much more possibility with this. Above is just a couple quick left joins to pull in the caption and machine type of the node, and the source IP of the received log.

    Much of this could be easily translatable (as usual) from SWQL to SQL. Just keep in mind that in SQL, LV / LA have their own database as it's memory-optimized. In SQL you could look in OrionLog_LogEntry table in then SolarWindsOrionLog' database (default name unless changed I believe...)

    I hope this helps.

  • Apologies, it appears I may have mis-understood your request.

    But I am following along with interest as I'd love to see what you develop if you are successful.

  • Sorry - I just re-read this post with a little more sleep under my belt. What your asking for might not be achievable.

    If I've re-read this correctly, what your asking for is a 1min trigger delay whereby the Alert will only trigger IF The condition exists for > 1 minute?

    Traps/Syslog are basically event messages so it isn't possible for the EXIST condition to apply here as the condition exists in the database for as long as you store it, like all events. As there are no natural reset conditions for a Trap/Syslog I'm not sure why you would want a delay. The only thing you could do is potentially look at using the Custom SWQL (Thx  ) to only trigger after multiple triggers of the same event on the same node ?