Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

How to create an alert for Network Device Flapping

Is there a way to create an Alert for when a Network Device is Flapping? For example, If an Access Point is triggering 20 Down events within 7 days.

Thank you for your help,

Tom

Find more posts tagged with

npm

Alerts

Accepted answers

KMSigma.SWI

Here's an alert you can probably use as a base - you'd just need to tweak it a little bit to specify for it for your own devices (Access Points).

Seashore

Hi
I Think this will work, alerting on nodes that have more than 20 node down events last 48 hours:

Create a custom SQL alert with node as base and add below code:

INNER JOIN
(select
Count(Eventid) as nroftimes
,NetworkNode
FROM Events
Where
EventType=1 --Node down
AND EventTime>GETUTCDATE()-48 --Events last 48 hours
Group BY NetworkNode
HAVING Count(Eventid)>20
) AS E ON Nodes.NodeID=E.NetworkNode

You could also use that code if you want a report instead.

All comments

KMSigma.SWI

Here's an alert you can probably use as a base - you'd just need to tweak it a little bit to specify for it for your own devices (Access Points).

Seashore

Hi
I Think this will work, alerting on nodes that have more than 20 node down events last 48 hours:

Create a custom SQL alert with node as base and add below code:

You could also use that code if you want a report instead.

edgar.hill

Is there an alert for Specific Interfaces flapping defined by a custom property called XYZ as true?

stuartd

This is the alert we have for flapping interfaces....

Adjust adjust the figures to suit yourself but above 'as is' will trigger an alert if an interface goes down 5 times in 1hr.

If you want to narrow it down to a specific interface(s) then you will need to create a WHERE filter to select them. If it's based on a custom property, then you will most likely need to do a join to the interface (or node) CP and reference that in your WHERE statement.

HTH?

sunvad

Hi, can this be used to set up alerts for flapping BGP routes?

KMSigma.SWI

This inquiry should probably be built as a separate thread (best placed in the Alert Lab) so that we don't muddy the waters and solutions.

jlescano

if I wanted to change it to day and see how many times it flaps..how can I convert the code below to add a count? so far I have the following.

SELECT count (*) as qty, Interfaces.Fullname, Interfaces.InterfaceID
from Interfaces
join events on interfaces.InterfaceID = events.netobjectid
where eventtime > dateadd(day,-1,GETDATE()) and eventtype ='10'
group by eventtype, interfaceid, fullname, message
having count (eventid)>=3
Order by qty desc

however as any of you know, I'm only allowed the following header in the alert manager

SELECT Interfaces.FullName, Interfaces.InterfaceID FROM Interfaces

thoughts?

stuartd

My SWQL is not up to this level of skill but maybe @sum_giais or @Seashore can help with that.

Seashore

Sure, can this be what you are after? Same method as above, inner join the actual trigger query. Written in SQL, not SWQL.

SELECT Interfaces.FullName, Interfaces.InterfaceID FROM Interfaces

INNER JOIN
(
SELECT 
	count (E.EventID) AS qty
	,I.InterfaceID
FROM Interfaces AS I
INNER JOIN [events] AS E ON i.InterfaceID = e.netobjectid
WHERE 
	E.eventtime > dateadd(day,-1,GETDATE()) 
	AND E.eventtype ='10'
GROUP BY I.interfaceid
HAVING count (E.eventid)>=3
) AS Eventqty ON Interfaces.Interfaceid=Eventqty.InterfaceID

Everything except the first line is what you put in the code box.

jlescano

When I run the query, my result doesn't show the qty (number of flapping for the giving interface).

Seashore

Could be because you don't have any interfaces matching the filters. Try remove the line "HAVING count...." and see if you get any results back

jlescano

no luck...still doesnt show the column for qty. But I did see results (juts not displaying my nodes in the pic below). I also tried to change the day to week to confirm I see results. Got the same output. Fullname | InterfaceID but no qty column.

Seashore

Ohh, but you will not see the qty in the output as Orion can't handle that in the alert rule. If you want to see the qty just runt the part between the ().

The rest is for the query to work as a "custom alert query".

jlescano

gotcha thanks for the info and help.

sum_giais

Future proofing it, this is essentially the same query @Seashore provided, converted into a custom SWQL variable that you could throw into an email action or similar for your alert communication to get the specific count for the interface that triggered the alert -- may need some adjustments depending on the timeframe that you're looking at for these events.

${N=SWQL;M=SELECT COUNT(e.EventID) AS [DownCount] FROM Orion.Events AS e INNER JOIN Orion.NPM.Interfaces AS i ON i.InterfaceID = e.NetObjectID AND e.NetObjectType = 'I' WHERE DAYDIFF(e.EventTime, GETUTCDATE()) <= 1 AND e.EventType = 10 AND i.InterfaceID = ${N=SwisEntity;M=InterfaceID} }</pre>

jlescano

Worked perfectly...exactly what I was looking for to notify the engineers how many times its flapped. also making a widget, hour, day, week to help level 2 and level 3 folks review possible upcoming issues.

webbdom

Great - this is just the question I was coming to ask! Looks as though I'll be able to make use of some of these answers despite being an SQL/SWQL ignoramus.