cscoengineer · Principal Consultant · ✭✭✭✭✭

Great! Yes, lots of resources for this procedure. 

Let me see if I'm understanding this. The SWQL on EOC has a different syntax than the SWQL on NPM. Is that correct? Another issue I have come across is that the Duration calculation works fine in NPM but not in EOC. Seems like EOC is doing something different in calculating the HOURDIFF Here is EOC: Here is NPM: Any ideas?…

Hi Hi I'm trying to use the Details Page Link but I'm not clear on how to use it. Played around with it for 30 mins without success. Is there a doc I can follow? For example, for the "Node", I want it to use the "[_LinkFor_Node] for the Details Page Link. Now sure how to do that? The error message "NODE - Details Page Link…

Another comment. When I run a SWQL on a normal NPM I get the correct result When I run the same query on a EOC, it doesn't work ...any ideas? Thank you, Amit

1) You had mentioned a "Custom Tile" widget...but I'm not seeing it. I'm on the most recent verion of NOC. 2) Also in the "Network Devices"...is it really just network devices (Cisco, Juniper, etc) or all devices. I created a "Site Node Summary" for all nodes and the "Network Devices" widgets seems to be all "Devices". 3)…

Hi Hi. I'm still figuring out what I can do and can't in terms of swql. I have worked for it for just a day and these are the things I have observed. 1) Custom Query a. Without the Custom Query – I can’t get the 5 row pagination which makes the NOC screen more manageable. b. It makes linking more troublesome, because there…

A few comments. 1) I didn't see a Custom Query widget. There is a Custom Table where we are limited to SWQL - but no Custom Query. 2) I haven't used EOC in a while and the last time I used it - I remember the ability to change the polling intervals for Orion instances. I don't see that option. 3) The views seem pretty…

Great, but don't try it on NPM 12.1 - the custom properties are not displaying in atlas. Try it on 12.2 which just came out.

If you have the alerts in place, use that to create a report. The logic should be the same. This is what I generally do for all important alerts - create a corresponding report. If you show us the alert, I can generate the report. Thanks Amit

Spoke with SW on this and was told that Multi-tenancy is NOT an architecture SW is based on. Many clients have asked for this feature, and I am told that SW is aware of this issue. I have had quite a few clients ask for this and we are able to implement it to a limited degree. We'll have to wait and watch to see if SW…

This has been posted else where in SQL, I made it into a SWQL. You can modify it to put in custom properties as needed. SELECT NodeName AS [Node Name], '/Orion/images/StatusIcons/Small-' + StatusIcon AS [_IconFor_Node Name], DetailsUrl AS [_LinkFor_Node Name],…

I have to agree with Nicole and Njoylif. What I have done for other clients is to dump the relevant info in a text file (which is reachable by http), then the final email will point the user to the link. Thanks Amit Loop1 Systems

The configs in the database are gone, but they still exist in the archive folder. Many clients have debated this - to store the config in plain text or not to. Some clients have a job to move it to a secure share over night. Amit Loop1 Systems

This is how I see it in terms of priorities (1 being most important) 1. Scripting - Scripting is critical when it comes to SAM and putting in custom scripts to monitor non-standard metrics using powershell/vb/python/linux shell/sql/etc. 2. DB/SQL - It is useful to have a good understanding of how SQL works. All of the back…

I spun up two Server2012R2 last night and thought this would be a quick install and validation, but haven't been that lucky. The Primary installed correctly, but the secondary is having issues. One odd thing I noticed is that the on the primary, there is no SWJonEngineWorker2 process running. When I applied the Orion…

Is this is trick question? Look like you are using UserLogonFailure in the correlation, but FailedAuthentication to populate the email message. The fields in the email must appear in the correlation. thanks Amit Loop1 Systems

The only time the detection time is different from the insertion time is when the agent looses connectivity to the manager. Once the agent reestablishes connection, the queued data is dumped. Do you have an alert set up for agent disconnects?

Could be any number of issues, as curtisi pointed out. Anything which interrupts the connection between the agent and manager. A sure way of knowing is by looking at the insertion time and detection time. If those two times are more than a few seconds apart - there was a disruption in communication and the agent is sending…

Hey phillipscc just posted a solution. UDT Port resource/report (swql) Thanks Amit

Before starting the reporting, are you polling for this information? If not, I would start with universal device poller (UnDP). The OID for client connection is 1.3.6.1.4.1.3417.2.11.3.1.3.1. When I was browsing the MIB, I did not see one for TCP connections. I also did not see a Bluecoat UnDP template in the content…

You need to join it to the nodes tables to pull custom properties (or other node related information) SELECT DISTINCT ahv.Name 'Alert Name' ,ahv.RelatedNodeCaption 'Parent Device' ,ahv.EntityCaption 'Alert Object' ,ISNULL(lastOne.Qty,0) 'Last 1 Day' ,ISNULL(lastSeven.Qty,0) 'Last 7 Days' ,ISNULL(lastThirty.Qty,0) 'Last 30…

Non-Linear Correlation I have had people ask me to show them a concrete example of non-linear correlation in LEM. This idea is more of a statistical relationship within the dataset rather then creating a 'non-linear' filter rule.

This is the script I have used for many of my clients: SELECT n.Caption as Node_Name, n.ip_address as IP_Address, n.ObjectSubType as Poll_Type ,Cast(DateDiff(day,MAX(c.datetime),getdate()) as varchar) + ' Day(s) ' + convert(char(8),dateadd(second,DateDiff(second,MAX(c.datetime),getdate()),0),14) as Duration…

Even if it not a valid vendor, LEM will save all syslogs it receives it. Without the proper connector, it will not parse the data - but you can still search the raw syslog using nDepth. Amit Shah Loop1 Systems

The only time I have seen this type of specific reporting is with a company who had crystal reports developer on staff. To generate the specific event, at least in syslog, I have used the kiwi syslog generator to send specific syslog messages to LEM to test out a filter. Amit Shah Loop1 Systems

I have been with dozens of client who have improperly configured syslog connectors using the auto feature. When ever LEM notifies us that it found a new node, I typically cancel it and talk with the networking people if they configured a device to send syslog to LEM. Once confirmed, cmc into LEM and look at the checklogs…

Add an order by n.caption SWQL sort of requires a order by when you are using it as a widget. Your script worked for me when I used it as a widget and added order by n.caption

I have seen clients use LEM primarily a reporting SEIM with limited active response. In one instance of an active response, the user was locked out of the network - and the user happened to be the CEO. He was not amused. You need to be really careful when constructing an active response. As suggested by curtisi, you can…

humejo is correct and it listed on the SolarWinds kb: SolarWinds Knowledge Base :: Hardware Health: SAM & NPM Differences Using NPM, you can poll the HDD for events such as low available space - which is most common type of alert for volume monitoring. UnDP can grab some hw info, but it's a time intensive process. I Had…

One main reason is that the Linux agent may not have a connector for the software being monitored - but the software is capable of syslog. In this case the software would send the syslog to LEM. LEM would then normalize the data and present it. Syslog, of course, is very chatty and we want to limit this as much as…