• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 499 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Having trouble with Custom SWQL Widget that displays ServiceNow incident information and alert count for the last 30 days

rmullal

I'm having a bit of trouble with this SWQL query I'm writing. Currently, it's displaying active alerts that have a ServiceNow ticket attached to it with other information (some custom properties, who it's assigned to, the node name, etc.)
Where i'm having trouble is pulling in the alert count for the last 30 days. I'm using the COUNT function on the message in the alert history table. It only displays a 1, no matter what I try. I think it's because it's looking for orion events with a status of 2 or 3 (active). since active alerts only post one message when it's active, we will only get a 1 each time.

What am I doing wrong?!?! Is there a work around for this?  Thank you all in advance!

Here is my query:

SELECT 
o.EntityCaption AS [OBJECT], '/Orion/images/StatusIcons/Small-' + p.StatusIcon as [_IconFor_OBJECT], '/Orion/NetPerfMon/NodeDetails.aspx?NetObject=N:' + tostring(p.NodeID) as [_LinkFor_OBJECT]
,ToLocal(o.AlertActive.TriggeredDateTime) AS [ALERT TRIGGER TIME]
    --Time Active--
,CASE
when minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())>1440 then (tostring(round(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())/1440.0,1)) + ' Days')
when minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())>60 then (tostring(round(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())/60.0,1)) + ' Hours')
else (tostring(minutediff(o.AlertActive.TriggeredDateTime,GETUTCDATE())) + ' Minutes')
end as [Time Active]
    --End time active--
,c.TimeZone as [TIME ZONE]
, c.State
,o.RelatedNodeDetailsURL AS [_LinkFor_RELATED NODE]
,a.AssignedTo AS [OWNER]
, a.IncidentNumber as [Incident], 'domain.service-now.com/incident.do?sys_id=' + tostring(a.IncidentID)  + '&sysparm_record_target=incident&sysparm_record_row=2&sysparm_record_rows=568&sysparm_record_list=123TEXTQUERY321%3Dc0925%5EORDERBYDESCsys_created_on' +' target="_blank"' as [_LinkFor_Incident]
,count(ah.message) as [Alert Count Last 30 Days]  

From Orion.AlertActive aa
join orion.ServiceNow.AlertIncident a on a.AlertObjectID = aa.AlertObjectID
join Orion.AlertObjects o on aa.alertobjectid=o.alertobjectid
LEFT join Orion.Nodes p on p.nodeid=relatednodeid
join Orion.NodesCustomProperties c on c.NodeID = p.NodeID
left join orion.alerthistory ah on ah.AlertActiveID=aa.AlertActiveID and ah.EventType in (2,3)

where daydiff(ah.timestamp,GETUTCDATE())<30 and (p.Caption like '%-FW%' or p.Caption like '%-CGX%' or p.Caption like '%-AP%' or p.Caption like '%-VS01%' or p.Caption like '%-Switch%' or c.storeVM = True)
and a.State not in ('Closed Complete', 'Complete') and a.IncidentUrl not like '%dev%' and a.IncidentUrl not like '%test%' and p.UnManaged = False
group by [OBJECT]
--having count(ah.message) >= 0  
ORDER by o.AlertActive.TriggeredDateTime DESC

Parents
  • 0

    So I don't have your custom properties, so if I comment out lines 11, 12, and get rid of part of the where clause: and (p.Caption like '%-FW%' or p.Caption like '%-CGX%' or p.Caption like '%-AP%' or p.Caption like '%-VS01%' or p.Caption like '%-Switch%' or c.storeVM = True) 
    It runs for me pretty well. What do you see? 

    BTW I think you are saying the counts have 1 entry each, and mine do not... 

  • 0 in reply to jm_sysadmin

    thank you for the reply! Yeah, mine only returns a 1 on the [Alert Count Last 30 Days] even though i can see in the alert history table that there's more than one entry for a lot of the objects: 

    I'm still playing around with the query and i have a feeling my EventTypes might be wrong. Should they only be (2,3)? referring to line 23

  • 0 in reply to rmullal

    event types 2,3 didn't stop me from getting accurate results they seem to be sending and getting status from Service now, but I don't know all the IDs. 

Reply Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.