bobmarley ✭✭✭✭✭

Try this, you can do something similar for Audit Events. SELECT TOP 200 [Events].Nodes.Caption , [Events].Nodes.IP_Address , TOLOCAL(EventTime) AS LocalEventTime , [Events].Message FROM Orion.Events Where [Events].Message LIKE '%YOUREVENTMESSAGEFILTERHERE%' Order by EventTime DESC

Try something like this in the Where: WHERE o.AlertActive.TriggeredMessage <> '' AND o.AlertConfigurations.Name LIKE '%YOURALERTNAME%'

SELECT TOP 1000 AuditEventID, ToLocal (TimeLoggedUtc) as LocalTime, AccountID, AuditEventMessage FROM Orion.AuditingEvents Where AuditEventMessage LIKE '%deleted node%' AND TimeLoggedUTC < ADDDAY(+30, GETDATE()) Order BY TimeLoggedUTC desc

You could create a report or widget using the SWQL below SELECT TOP 1000 AuditEventID, ToLocal (TimeLoggedUtc) as LocalTime, AccountID, AuditEventMessage FROM Orion.AuditingEvents Where AuditEventMessage LIKE '%deleted node%' Order BY TimeLoggedUTC desc

Try going to Reports - All Reports then search for Access Point in the search box on the upper right. There should be several reports available.

The name will be in the results of the SWQL query

Thank you!

If you forwarded the alerts from Elk as Syslog messages it should be doable. 

Is there a page where you can view your past earned points?

Have you looked at any of the built in reports?

Here is another way to do it. If you create Groups for your servers you can create a Group alert. Notice at the very bottom the number of servers that need to be in distress is 25 or more. I'm definitely looking at how @"Seashore" did it as well because that looks very interesting

Take a look here, it should get you started if you are interested in using the API (+) Upload Custom Properties - Scripts - The Orion Platform - THWACK (solarwinds.com) If you want to do it using the GUI you just need to create what is needed in a spreadsheet and use the Import feature under Custom Property Management.

This URL shows you how to run a SWQL query within powershell and export the results to a CZV. I'm sure Python would be very similar. (+) Export Custom Properties - Scripts - The Orion Platform - THWACK (solarwinds.com)

Whenever a node is added it is noted in this table, you could set up an alert that would fill in the information as a custom property as @"stuartd" suggested. The custom property could be displayed in the Node Detail page. SELECT TOP 1000 AuditEventID, ToLocal (TimeLoggedUtc) as LocalTime, AccountID, AuditEventMessage FROM…

There are several ways, you could use the scheduling feature that is within the alert itself. You could use the maintenance scheduler tool on the SolarWinds server to schedule outage windows, or use the API to put nodes into maintenance mode. 

Details URL gets passed on in my Splunk instance. That should work for you as well. 

Try downloading one of the modern dashboards from the Content Exchange. If you find one you like edit the SWQL queries withing the modern dashboard to show just the group you are interested in. 

Try restarting the services on your new polling engine, I have ran across this a few times. (as recently as last week) 

Are you simply changing the password for the WMI credentials or changing the credential to a new credential and password? Both are easy to do within the GUI

We use custom properties, but in the Where Clause you could use Vendor instead out of the Nodes table. I don't have one for Wan Interfaces Nodes that are up Total - Edit the Where to your environment. SELECT COUNT(Status) as StatusCount from orion.nodes n Where ((TOUPPER([N].CustomProperties.YOURCUSTOMPROPERTYNAME)…

There are several out of the box alerts you could start with, just search alerts for stack. 

If you want to use a SWQL query try this SELECT [Node].Caption AS [Caption] , [Node].NodeIPAddresses.Interface.Caption AS [Interface Name] , [Node].NodeIPAddresses.IPAddress AS [IP Address] , [Node].NodeIPAddresses.IPAddressType AS [IP Type] FROM Orion.Nodes AS [Node] ORDER BY [Node].Caption ,…

--Count of Down Nodes SELECT Count(Caption) AS Caption --SELECT Caption , StatusDescription -- List of Down Nodes FROM Orion.Nodes Where Status LIKE '2' and [Nodes].CustomProperties.CoreProductionSystem LIKE '%YES%'

SELECT tolocal(TimeLoggedUtc) AS [Last Login] ,AccountID ,AuditEventMessage FROM Orion.AuditingEvents AS AE WHERE daydiff(timeloggedutc ,getutcdate())<1 AND AE.AuditingActionType.ActionType = 'Orion.UserLogin' AND AccountID NOT LIKE '%BobMarley%' AND AccountID NOT LIKE '%_system%' ORDER BY TimeLoggedUtc DESC</pre>

 ${N=SWQL;M=SELECT ErrorMessage FROM Orion.APM.CurrentStatistics } may work, I could not find it in the pre made variables anywhere so did this. One of the SWQL Queries I use to look at those is here and that is where the variable came from. For me Error Message looks like what I'm getting returned from the Statistic.…

Give this a try in your alert ${N=SwisEntity;M=ComponentAlert.StatisticData}

SELECT COUNT(Status) as Status FROM Orion.APM.Application Where Status LIKE '2' AND Name LIKE '%YOURAPPLICATIONNAMEHERE%'

Not exactly what you requested but here is a list of the users that logged in recently. You can add real names in the Case statement. SELECT tolocal(TimeLoggedUtc) AS [Last Login], CASE WHEN AccountID LIKE 'DOMAIN\USER1' THEN 'Bob Marley' WHEN AccountID LIKE 'DOMAIN\USER1' THEN 'George Smith' ELSE AccountID END AS [Name] ,…

I'm here! Starts in 5 minutes :)

Try this, you can enter actual user names in the Case statement. SELECT tolocal(TimeLoggedUtc) AS [Last Login], CASE WHEN AccountID LIKE 'DOMAIN\USER1' THEN 'Bob Marley' WHEN AccountID LIKE 'DOMAIN\USER1' THEN 'George Smith' ELSE AccountID END AS [Name] , AuditEventMessage FROM Orion.AuditingEvents AS AE WHERE…