How to edit RootCause variable for email alerts?

Hello Community!

What is the best possible way to remove the type of objects that show up under the`${N=SwisEntity;M=NodeStatusRootCause}` variable? The reason being in our environment we have a variety of interfaces we are monitoring, some warrant further investigation when they flap, some not so much and others are in admin down.  Currently, alerts that have the ${N=SwisEntity;M=NodeStatusRootCause} variable will include interfaces that are Unplugged or in admin down state as the root cause for the node changing status.  This causes alerts to be noisier when an interface that we care about goes down but the node has several unplugged and admin down interfaces.  We would still like to monitor interfaces in these unplugged/admin down state for reporting reasons but not be alerted on them. 

Has anyone came across a similar problem?

Thank you!

Parents
  • I'm not 100% clear on what you're asking, but if it is what I think, then we use a custom property.

    So essentially the custom property is called something like "In_Service" and values are Yes/No. You then build your alerts to only alert if the In_Service = YES and whatever other logic you need.

    You would then need to set the RootCause items that you don't want to alert to a NO value.

    Reporting logic can be left untouched and it would then ignore this custom property.

  • This is something I am also interesting in, when a node has an issue I want to see the interfaces with the issue (i.e. down status) as opposed to seeing interfaces I have shutdown hence there is nothing wrong with them.

    I'm still relatively new to Solarwinds, how would you go about creating the custom property?

  • So Settings >> All Settings >> Node & Group Mgmt >> Manage Custom Properties.
    Add Custom Property
    Change dropdown to Interfaces
    Name it as you desire - maybe "Shutdown_Interface"

    I'd set it as a Yes/No in the format box and value must be specified. Click next, click submit (I wouldn't bother using this section to apply to multiple interfaces).

    Then back in the 'Manage Custom Properties' section find your new CP, select it and click on view/edit values. At this point you can bulk apply your yes/no.

    But personally, if the interface is shutdown I'd remove (untick) it under the 'List Resources' section so it wouldn't come up in any alerts or reports,

  • Thanks for that, on further reflection neither option is great as it still requires a level of manual intervention. 

    For more context this is using the 'node is in a warning or critical state' under child entities with problems it shows something like the following:
    Child entities with problems:
    TenGigabitEthernet1/0/43 · ***** (Interface in Down state)
    TenGigabitEthernet1/1/2 - Te1/1/2 (Interface in Shutdown state)
    TenGigabitEthernet1/1/3 - Te1/1/3 (Interface in Shutdown state)
    TenGigabitEthernet1/1/4 - Te1/1/4 (Interface in Shutdown state)
    TenGigabitEthernet2/0/43 - Te2/0/43 (Interface in Shutdown state)
    TenGigabitEthernet2/0/44 - Te2/0/44 (Interface in Shutdown state)
    TenGigabitEthernet2/0/45 - Te2/0/45 (Interface in Shutdown state)
    TenGigabitEthernet2/0/46 - Te2/0/46 (Interface in Shutdown state)
    TenGigabitEthernet2/0/47 - Te2/0/47 (Interface in Shutdown state)
    TenGigabitEthernet2/0/48 - Te2/0/48 (Interface in Shutdown state)
    ....

    It just makes the emails long when you only really care about the top one.

    I'm starting to think that maybe more specific alerts are better (i.e. interface is down, hardware alerts, etc) rather than the generic warning or critical state alert.

    Thanks for your help Slight smile

Reply
  • Thanks for that, on further reflection neither option is great as it still requires a level of manual intervention. 

    For more context this is using the 'node is in a warning or critical state' under child entities with problems it shows something like the following:
    Child entities with problems:
    TenGigabitEthernet1/0/43 · ***** (Interface in Down state)
    TenGigabitEthernet1/1/2 - Te1/1/2 (Interface in Shutdown state)
    TenGigabitEthernet1/1/3 - Te1/1/3 (Interface in Shutdown state)
    TenGigabitEthernet1/1/4 - Te1/1/4 (Interface in Shutdown state)
    TenGigabitEthernet2/0/43 - Te2/0/43 (Interface in Shutdown state)
    TenGigabitEthernet2/0/44 - Te2/0/44 (Interface in Shutdown state)
    TenGigabitEthernet2/0/45 - Te2/0/45 (Interface in Shutdown state)
    TenGigabitEthernet2/0/46 - Te2/0/46 (Interface in Shutdown state)
    TenGigabitEthernet2/0/47 - Te2/0/47 (Interface in Shutdown state)
    TenGigabitEthernet2/0/48 - Te2/0/48 (Interface in Shutdown state)
    ....

    It just makes the emails long when you only really care about the top one.

    I'm starting to think that maybe more specific alerts are better (i.e. interface is down, hardware alerts, etc) rather than the generic warning or critical state alert.

    Thanks for your help Slight smile

Children
  • How about flipping the interfaces to use an "Unplugged" status instead of "Down"?

    I'm honestly not sure it it'll still show up in your Root Cause, but it might be something worthwhile to investigate.

  • The "down" status is the one we want to see.

    Shutdown we don't care about as that's a port we have admin shut on the switch.

    Unplugged we don't care about as we have gone into to Solarwinds and selected the option you suggested above (usually for user ports).

    Yet the NodeStatusRootCause variable shows us all child entities that are down, shutdown, unplugged and unknown. It would be good if we can set this to ignore shutdown and unplugged.

    Doesn't look like this is an option but I may submit it as a feature request Slight smile