How to find effectively disabled alerts/actions?

It seems like there's a large number of ways that Alerts and Actions in Orion can be set up where they don't actually do anything.

Examples: Enabled alert config/definition with all actions disabled. Action with no ActionAssignment, Action that is only assigned to a disabled Alert config, impossible scheduling, email actions with no valid destinations.

I'm sure I'm missing more ways.

I'm looking for any suggestions or guidance on finding these "effectively disabled" alerts and actions so I can remove them from my Orion environment. I've inherited a mess and been left to sort out what was dumped on my lap into a useful monitoring/reporting tool, as it isn't currently. Less noise to sort through will make analyzing and consolidating the rest easier.

So far I've been using SwisPowerShell to grab and push data, so SWQL queries and Powershell is extra appreciated.

Sidenote: I've been trying to figure out the relationships between Actions, ActionAssignments, AlertConfigurations, and AlertDefinitions.

Want to confirm if this is right: 1 Action -> Many ActionAssignments. Many ActionAssignments -> 1 AlertConfiguration. 1 AlertConfig <-> 1 AlertDefinition.

Thanks in advance!

  • This is the relationships for the Orion.Alert% and Orion.Action% entities (as of the 2022.2 release)

    Entity Name Navigation Property in "Name (Target Entity)" format
    Orion.ActionAssignmentProperties Assignments (Orion.ActionsAssignments)
    Orion.Actions AlertIncident (Orion.ESI.AlertIncident)
    Orion.Actions Assignments (Orion.ActionsAssignments)
    Orion.Actions Properties (Orion.ActionsProperties)
    Orion.ActionsAssignments Action (Orion.Actions)
    Orion.ActionsAssignments Properties (Orion.ActionAssignmentProperties)
    Orion.ActionsProperties Action (Orion.Actions)
    Orion.AlertActive AlertActiveObjects (Orion.AlertActiveObjects)
    Orion.AlertActive AlertObjects (Orion.AlertObjects)
    Orion.AlertActiveObjects AlertActive (Orion.AlertActive)
    Orion.AlertConfigurations AlertObject (Orion.AlertObjects)
    Orion.AlertConfigurations CustomProperties (Orion.AlertConfigurationsCustomProperties)
    Orion.AlertConfigurationsCustomProperties Alert (Orion.AlertConfigurations)
    Orion.AlertHistory AlertObjects (Orion.AlertObjects)
    Orion.AlertObjects AlertActive (Orion.AlertActive)
    Orion.AlertObjects AlertConfigurations (Orion.AlertConfigurations)
    Orion.AlertObjects AlertHistory (Orion.AlertHistory)
    Orion.AlertObjects AlertIncident (Orion.ESI.AlertIncident)
    Orion.AlertObjects Node (Orion.Nodes)
    Orion.ESI.AlertIncident Actions (Orion.Actions)
    Orion.ESI.AlertIncident AlertObjects (Orion.AlertObjects)
    Orion.Nodes AlertObjects (Orion.AlertObjects)
    Orion.ServiceDesk.AlertIncident Actions (Orion.Actions)
    Orion.ServiceDesk.AlertIncident AlertObjects (Orion.AlertObjects)
    Orion.ServiceNow.AlertIncident Actions (Orion.Actions)
    Orion.ServiceNow.AlertIncident AlertObjects (Orion.AlertObjects)

    If you aren't running the same version, you can run the below query in SWQL Studio to get the relationships:

    SELECT [Properties].EntityName AS [Entity Name]
          , CONCAT([Properties].Name, ' (', [Properties].Type, ')') AS [Navigation Property in "Name (Target Entity)" format]
    FROM Metadata.Property AS [Properties]
    WHERE [Properties].IsNavigable = 'True'
      AND [Properties].IsObsolete = 'False'
      AND (
            [Properties].EntityName LIKE 'Orion.Alert%'
         OR [Properties].EntityName LIKE 'Orion.Action%'
         OR [Properties].Type LIKE 'Orion.Alert%'
         OR [Properties].Type LIKE 'Orion.Action%'
      AND [Properties].Name NOT IN ('OrionSite')
    ORDER BY [Properties].EntityName
           , [Properties].Name
           , [Properties].Type