Traps setup issue

Why not create the alerts from log viewer?

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/LM/LM-Alerting.htm

On 2020.2 the old log viewer still opens but as you say, shows no data.

Solarwinds deprecated this with the latest version so it can only be done from log viewer - which by their own admission, is far from complete and far from providing the functionality of the trap viewer.

My cynical take on this is they've removed a working aspect and are now pushing their all new "log analyzer" <sic> Yes, there's a free version, but for full live functionality you need to start paying. And licensing is, from my view, horrendously expensive. Just my 2p mind.

Hi neomatrix1217 stuartd 

I have been successful in creating alerts from the log viewer as as per your link. What I am also trying to achieve is alert trigger delay filter

Active alarm trap is received and processed (As Below)

Trigger Condition 

What i am unable to do is create a 1min delay using this method. I only want alerts for  alarms that is active for  > 1 min.

The alarm delay conditions disappears when Log analyzer alert message event is selected as a trigger. Online reading points me towards using custom SQL to achieve this.

I have traps coming in and working.

But the trap database file is empty for SQL 

Thanks in advance

Travis 

The way the Analyzer alert integration works is your basically creating an event-driven alert. So LA triggers an event and your alert is looking for that event, there isn't an option to add a delay in this scenario. The only workaround for this would be to write a Custom SWQL/SQL Alert to reference you conditions directly from the Log Analyzer database.

Hi dgsmith80 ,

Would to be so kind and point me to the correct SQL database table as the traps one is empty

Thanks

Travis 

I'd build it out in SWQL. Not sure exactly how I'd build an alert with this yet (as I've not done it myself) but this would be some SWQL to get you going looking at the syslogs from SolarWinds Orion Log Viewer (LV) or Log Analyzer (LA). I've always used the built-in functionality. Might require some crafty SWQL work to achieve what you're looking for.. as other folks have mentioned syslogs are really event driven in SolarWinds.

SELECT TOP 1000 n.Caption, n.MachineType, ms.IPAddress AS SourceIP, le.LogEntryID, le.LogEntryTypeID, le.LogEntryLevelID, le.NodeID, le.MessageSourceID, le.DateTime, le.MessageDateTime, le.Message
FROM Orion.OLM.LogEntry AS le
LEFT JOIN Orion.Nodes AS n
ON le.NodeID = n.NodeID
LEFT JOIN Orion.OLM.MessageSources AS ms
ON le.MessageSourceID = ms.MessageSourceID

 
This is just a start... there's much more possibility with this. Above is just a couple quick left joins to pull in the caption and machine type of the node, and the source IP of the received log.

Much of this could be easily translatable (as usual) from SWQL to SQL. Just keep in mind that in SQL, LV / LA have their own database as it's memory-optimized. In SQL you could look in OrionLog_LogEntry table in then SolarWindsOrionLog' database (default name unless changed I believe...)

I hope this helps.

Apologies, it appears I may have mis-understood your request.

But I am following along with interest as I'd love to see what you develop if you are successful.

Sorry - I just re-read this post with a little more sleep under my belt. What your asking for might not be achievable.

If I've re-read this correctly, what your asking for is a 1min trigger delay whereby the Alert will only trigger IF The condition exists for > 1 minute?

Traps/Syslog are basically event messages so it isn't possible for the EXIST condition to apply here as the condition exists in the database for as long as you store it, like all events. As there are no natural reset conditions for a Trap/Syslog I'm not sure why you would want a delay. The only thing you could do is potentially look at using the Custom SWQL (Thx sum_giais ) to only trigger after multiple triggers of the same event on the same node ?