Little bit confused while making an alerts

Question

Hi Team, 
 Greetings! 
 
 I'm trying to make an alert based on the criteria below on those 11 nodes, we monitor with SW agents. 
 1. RAM Utilization =>96 Warning 
 2. RAM Utilization =>98 Critical 
 3. CPU Utilization => 80 Warning 
 4. CPU Utilization => 90 Critical 
 5. Disk Utilization => 75 Warning 
 6. Disk Utilization => 85 Critical 
 7. Any nodes down alert 
 
 I tried to make a few alerts to achieve the above requirements, but as per my knowledge, we can't achieve them in one alert. But when I create an alert for disk utilization, it gives me the wrong alert, maybe I used the wrong field. 
 I have not tested the alert for RAM and CPU and node down alert yet. Can you please tell me the best possible way to achieve above mentioned requirements? We have NTA & NPM in our SW environment.

antonis.athanasiou · Accepted Answer

There are a few ways to achieve this. 
 First, it's important to understand that an alert will trigger when a predefined condition is met on specific objects such as nodes or volumes or interfaces etc. By default, there is no option through the dropdown list to 'bind' nodes, volumes, CPU and memory utilisation in one single alert. 
 
 One option is to use the threshold values for each object/stat (CPU, RAM, Volumes), take advantage of the Node child status participation and create an alert with a simple condition when the node is in a warning status or in a warning status or the node is down. This would of course trigger for any other reason where the node is in a warning or critical state. 
 If you're comfortable with SQL/SWQL queries (SWQL is better) you can create your own trigger definition, see sample below:

However I don't recommend any of the above methods as they are either not going to be accurate enough or won't provide any immidiate clear indication why the alert has been raised. Instead, I would challenge whether there is any specific reason to consolidate all the trigger conditions into a single alert? As a generic principal I try to keep alerts that have to be actioned (i.e, a node is down <- needs to be investigated) and avoid informational (such as CPU is warning but not critical yet) to minimise the noise. 
 I'd suggest to create 4 alerts as per below unless there's a specific requirement: 
 - CPU usage above its critical threshold for XX minutes (to avoid spikes) - RAM Utilization above its critical threshold for XX minutes (avoiding spikes again) - Node is down - Volume usage is above critical OR free space is below XX GBs (since percentages won't give you absolute figures and can be challenging when comparing 5% free space on a 1TB volume vs a 10GB volume) 
 
 Antonis

Little bit confused while making an alerts

Top Replies