Nodes down >5 time in 7days alert.

Hi,

i have created 1 alert for nodes down. it is working fine. now i need to create another alert which will trigger if the exisiting alert is triggerd more than 5 times for specific nodes. can anyone help me? how to create this alert? 

Parents
  • So we do a similar thing for interfaces. We call it an interface flap alert and we want to know if an interface has triggered more than x times in the last y minutes.

    This is a custom SWQL alert and for your scenario all you need to do is adjust from interfaces to nodes. There are two parts. There's the hard coded part shown below:

     this is the bit to change the dropdown to 'nodes'

    Then there is the custom SWQL:

    -- above code selects the Interfaces table as primary table
    --next line JOINs the Events table so as to pick out event type 10
    
    JOIN Orion.Events AS E ON Interfaces.InterfaceID = E.NetObjectID
    
    -- for testing purposes ADDMINUTE is now changed to 10 as in "3 downs in 10 minutes"
    
    WHERE E.EventTime >= ADDMINUTE(-10, GETUTCDATE()) 
    AND E.EventType = '10'
    
    group by E.EventType
    , Interfaces.InterfaceID
    , Interfaces.DisplayName
    , E.Message
    , Interfaces.Uri
    having count(*)>=3

    Basically anywhere it says interface replace with nodes and change the EventType to = 1 and change the ADDMINUTE to ADDDAY and then set the trigger days, etc as you desire and add in any other records you want e.g. IP, etc...

    Using your original request, it would look like this: 

    SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes
    
    JOIN Orion.Events AS E ON Nodes.NodeID = E.NetObjectID
    
    WHERE E.EventTime >= ADDDAY(-7, GETUTCDATE()) 
    AND E.EventType = '1'
    
    group by E.EventType
    , Nodes.NodeID
    , Nodes.DisplayName
    , E.Message
    , Nodes.Uri
    having count(*)>=5

Reply
  • So we do a similar thing for interfaces. We call it an interface flap alert and we want to know if an interface has triggered more than x times in the last y minutes.

    This is a custom SWQL alert and for your scenario all you need to do is adjust from interfaces to nodes. There are two parts. There's the hard coded part shown below:

     this is the bit to change the dropdown to 'nodes'

    Then there is the custom SWQL:

    -- above code selects the Interfaces table as primary table
    --next line JOINs the Events table so as to pick out event type 10
    
    JOIN Orion.Events AS E ON Interfaces.InterfaceID = E.NetObjectID
    
    -- for testing purposes ADDMINUTE is now changed to 10 as in "3 downs in 10 minutes"
    
    WHERE E.EventTime >= ADDMINUTE(-10, GETUTCDATE()) 
    AND E.EventType = '10'
    
    group by E.EventType
    , Interfaces.InterfaceID
    , Interfaces.DisplayName
    , E.Message
    , Interfaces.Uri
    having count(*)>=3

    Basically anywhere it says interface replace with nodes and change the EventType to = 1 and change the ADDMINUTE to ADDDAY and then set the trigger days, etc as you desire and add in any other records you want e.g. IP, etc...

    Using your original request, it would look like this: 

    SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes
    
    JOIN Orion.Events AS E ON Nodes.NodeID = E.NetObjectID
    
    WHERE E.EventTime >= ADDDAY(-7, GETUTCDATE()) 
    AND E.EventType = '1'
    
    group by E.EventType
    , Nodes.NodeID
    , Nodes.DisplayName
    , E.Message
    , Nodes.Uri
    having count(*)>=5

Children
No Data